Prince Sultan University PSU
Policy Management System
Institutional Risk Management Policy

Policy Code: GV0004
Policy Name: Institutional Risk Management Policy
Handler: Vice- President for Administrative and Financial Affairs Office
Date Created: 15 August 2020
Date of Current Review:
(Click to see previous review dates)
Approved by: University Council
Date of Approval:

Policy Statement

This policy sets out Prince Sultan University (“PSU”) approach to risk management and the mechanisms it employs to identify, analyze, and manage risk. All unit managers are required to be responsible and accountable for managing risk.

Background And Justification

Risks of Prince Sultan University (PSU) can be defined as “the threat or opportunity that an action or event will affect PSU’s ability to achieve its strategic goals”. Risk management is important in key operational areas of PSU to ensure that threats and opportunities affecting the successful delivery of operating plans are appropriately addressed and effectively managed. ‘Threat’ in terms of risks can be termed as an uncertain event (a negative effect on the likelihood of achieving PSU’s strategic goals); and on the other hand, ‘opportunity’ is an uncertain event (a favorable effect on the likelihood of achieving PSU’s strategic goals).

PSU’s view of acceptable risk is the balance between risk aversion and opportunity. In doing so, PSU follows Corporate Governance Regulations (CG) Framework 2010 issued by the Capital Market Authority, Saudi Arabia (Resolution No. 8-16-2017); amended 20/5/2019). The CG framework in Saudi Arabia entails that forecasting risks and disclosure with transparency is important step for ensuring commitment towards effective risk management systems and internal control (Sarbanes-Oxley Act 2002 (SOX, Section 404 Guideline, page 3).

Three types of risks will be identified:

  • Academic Risk
  • Financial Risk
  • Others Risk

Scope and Purpose

This Institutional Risk Management Policy applies to all academic and non-academic departments and staff at Prince Sultan University. The aims of Risk Management Policy of PSU are threefold:

  • To outline PSU’s underlying commitment to risk management in achieving strategic goals and objectives.
  • To ensure all significant risks are identified, evaluated, and updated periodically.
  • To assign accountability to all staff for risk management.

Principles of the Policy

PSU’s risk management framework is a continuous process and is the responsibility of all unit managers. The process includes:

  • Identification and Analysis: Identify probable risks that could possibly occur and analyze the likelihood and impact (Please refer to Appendix for GV0004 in the guidelines).
  • Risk Response Action Plan: Monitoring and control of actions employed to deal with identified risks (Please refer to Appendix for GV0004 in the guidelines).
  • Reporting: All risks raised will be recorded on the PSU Risk Register and will be owned by Risk Management Committee (Please refer to Appendix for GV0004 in the guidelines). Reporting of risks will be carried out every two years.

The process is illustrated in the diagram below:

Principles of the Policy

Crisis Management Framework

Crisis could be defined as “a sudden event or series of events that may seriously threatens the operations of PSU”. PSU will act proactively in identifying and managing ‘crisis’ that may have the potential to threaten the PSU community. The Crisis Management & Response Management Team (CMRMT) will determine the classification of crisis incident. In compliance with PSU and Saudi Ministry Policies/guidelines, the CMRMT will then communicate with PSU communities and take appropriate actions to overcome the crisis that has the potential threat on operations and activities of PSU.

Following an emergency or crisis, the CMRMT of university will then evaluate the action plans and its impact and incorporate its continuous risk management and crisis management policies. Following the crisis and evaluation of response to crisis, PSU, may update other relevant policies and provide regular, tailored training for managing the crisis.

Crisis Management Framework

Crisis Incident classification:

  • Level 1 – Minor (low impact)
  • Level 2 – Moderate (potential to escalate)
  • Level 3 – Major/catastrophic

Crisis Management & Response Management Team (CMRMT): The University Senior Management Team in relation to a crisis event will priorities safety of students, faculties, staff and affected PSU community.

Definitions

Risks: Risks of Prince Sultan University (PSU) can be defined as “the threat or opportunity that an action or event will affect PSU’s ability to achieve its strategic goals”.

Responsibilities and Implementation Strategies

The Risk Management Committee is responsible for reviewing the effectiveness of PSU’s risk management every two years based on information provided by each unit. For each significant risk identified, the committee will review the prior actions and examine the institution’s track record on risk management. This will help the President’s Executive Committee and the Board of trustees to view the overall risk management of PSU.

Prince Sultan University Risk Register example is shown in Appendix for GV0004 in the guidelines.

  • Each College-Department / Unit / Centre will be denoted by their respective Acronyms e.g. CBA-ACC means College of Business Administration, Department of Accounting. For Units / Centres: TLC for Teaching and Learning Center;
  • Each Risk statement has a unique number (e.g. CBA-ACC-AR-001), which is called Risk ID
    Each Risk statement is categorized as Academic/Financial/Other risk: AR = Academic Risk statement; FR = Financial Risk; OR = Other Risk;
  • A unit manager is responsible for identifying and managing each risk statement;
  • Each Risk statement should have a cause and impact description;
  • Each Risk statement should have a score: 1 - Low; or 2 - Medium; or 3 - High;
  • Based on the overall risk score, unit manager should provide a risk response action plan;
  • After the action plan, the unit manger also determines the risk control score (1[Low response]; or 2[Medium response]; or 3 [High response]);
  • Residual risk score will provide the significance of the action plan. How overall risk can be reduced after necessary actions? and
  • Finally, a unit manager provides the evaluation of each risk statement every two years.

In addition to Prince Sultan University (PSU) Risk Register, the risk management committee and unit managers may identify any risks, including ones specific to circumstances.

As part of the crisis management, due Coronavirus disease (COVID-19) outbreak in March 2020, all programs were instructed to do online teaching and assessment.

Procedures for Handling Policy Violation

PSU Institutional Financial and Risk Management Committee in coordination with Risk Management Office will evaluate the Risk Register regularly. If any non-compliance of the Risk Management policy, PSU Institutional Financial and Risk Management Committee will report to Vice-President for Administrative and Financial Affairs Office and Compliance and Legal Office.


Appendices: Please find the guidelines for PSU’s Risk Management Policy (GV0004)

Appendix for GV0004

Guidelines for Prince Sultan University (PSU) Risk Management Policy

The guidelines include three sub-sections:

GV0004.1 Risk Management Committee, and its Roles & Responsibilities

GV0004.2 Formation of Crisis Management & Response Management Team (CMRMT)

GV0004.3 Risk Assessment Methodology and Matrix

GV0004.4 Prince Sultan University Risk Register (Example)

GV0004.1 Risk Management Committee, and its Roles & Responsibilities

The vision and mission of the Risk Management Committee are as follows:

Vision

The Effective management of risk which is an integral part of PSU Strategic Planning.

Mission

To evaluate the effectiveness of risk management of risks identified by the unit manager. Roles and Responsibilities

The responsibility of the risk management committee includes: determine PSU’s approach to risk management involving unit managers; discuss and approve issues that significantly affect PSU’s risk profile or exposure; continually monitor risks and ensure that actions are being implemented; and review risks every two years.

Memberships of the risk management committee for AY 2022-23 are as follows:

# Name, Administrative/Academic Position Committee Position
1 Prof. Dr. Saad Al-Rwaita, Vice President, Administrative and Financial Affairs Chair
2 Prof. Dr. Mohammad Nurunnabi, Aide to the President on Ranking and Internationalization; Director – Center for Sustainability and Climate; Chair, Accounting Department Co-Chair
3 Dr. Heba Khoshaim, Vice President of Campus for Women Member
4 Dr. Nasser Alsadoun, Assistant to the Vice President for Administrative and Financial Affairs Member
5 Dr. Saad Almosa, Dean, CBA Member
6 Mr. Abdulaziz Al-Obaid, Director, HRO Member
7 Mr. Munir Shaiq, Senior Administrator, Office of the Vice President for Administrative and Financial Affairs Member

GV0004.2 Formation of Crisis Management & Response Management Team (CMRMT)

The CMRMT will be chaired by the PSU President and consists of:

  • President, Prince Sultan University (PSU), (Chair of CMRMT)
  • Vice President for Administrative and Financial Affairs
  • Vice President for Academic Affairs
  • Vice-President, Campus for Women/Vice Dean, DAR
  • Dean, Deanship of Quality Assurance and Development
  • Dean, College of Business Administration (CBA)
  • Dean, College of Computer and Information Sciences (CCIS)
  • Dean, College of Engineering (CE)
  • Dean of the College of Law (CL)
  • Dean, College of Humanities (CH)
  • Dean, Deanship of Educational Services (DES)
  • Vice Dean, College of Business Administration (CBA)
  • Vice Dean, College of Law (CL)
  • Vice Dean, College of Humanities (CH)
  • Chair/Co-Chair, Institutional Risk Management Committee
  • Other Related centers/units at PSU depending on the crisis response (Nominee by the President)

GV0004.3 Risk Assessment Methodology and Matrix

Each risk will be assessed based on two components: likelihood and impact of risk occurrence. Each component will be evaluated based on a 3-point scale.

Likelihood: How likely is the risk going to happen?

  • Low – Likelihood of occurrence (<20% chance of occurrence)
  • Medium – Likelihood of occurrence (20% - 60% chance of occurrence)
  • High –Likelihood of occurrence (>60% chance of occurrence)

Impact: What would the impact be if the risk occurs?

  1. Low – Unlikely to have a significant effect
  2. Medium– Potential impact but may be managed through existing processes
  3. High– Significant impact on performance

Risk Level Determination (Overall Risk Score)

3x3 matrix below can be used to calculate the overall risk score:

Impact 3 3 6 9
High (Low likelihood & High impact) (Medium likelihood & High impact) (High likelihood & High impact)
2 2 4 6
Medium (Low likelihood & Medium impact) (Medium likelihood & Medium impact) (High likelihood & Medium impact)
1 1 2 3
Low (Low likelihood & Low impact) (Medium likelihood & Low impact) (High likelihood & Low impact)
1 - Low 2 - Medium 3 - High
LIKELIHOOD/PROBABILITY

Overall Risk Score (in color) and Risk Level

Color Overall Risk Score Risk Level Action
6 – 9 High High priority remedial action
3 – 4 Medium Medium priority remedial action
1 – 2 Low Risk acceptable; There are no imminent dangers

Risk Control Score based upon Action Plan

Risk Control Score is based upon appropriate action of individual risk for mitigating risks. Each control score ranged between 1 to 3:

  • High: 3, significant control measures are fully in place
  • Medium: 2, i.e. some controls in place but further actions to be planned
  • Low: 1, i.e. no action is in place

Risk Control Score Calculation and Risk Level in Color

Risk Control Score (Residual Score) = An overall risk score/ Risk control score. This is the scale of the risk after taking necessary actions.

Color Residual Risk Score Risk Level after Actions
6 – 9 High
3 – 4 Medium
1 – 2 Low

GV0004.4 Prince Sultan University Risk Register (Example)

GV0004.3 Prince Sultan University Risk Register (Example)