Kean University Risk Management Policy (User‑Facing)
WCAG 2.2 AA Compliant — Optimized for accessibility and readability.
Table of Contents
- What This Policy Is About
- Who Does What
- How Kean Makes Risk‑Based Decisions
- The Risk Lifecycle
- The Risk Register
- How Risk Ties Into Planning & Procurement
- Digital Risk as Part of ERM
- Training, Records & Reviews
- KPIs & Audits
- Quick Guide (What to Do)
- Need Help?
What This Policy Is About (In Plain English)
Risk management means seeing trouble early—and sometimes taking smart, informed risks—so Kean can keep teaching, research, student services, and operations running smoothly.
This policy explains how Kean identifies, assesses, treats, monitors, and reports risks across campus, including digital risks (cybersecurity, data, vendors, AI).
Example
A department wants a new cloud tool. Before buying, Kean reviews SOC 2 / HECVAT, data handling, privacy, and cost. If risk is acceptable with safeguards, we proceed; if not, we adjust or decline.
This policy applies to all units and projects: academic, administrative, research, and IT.
Back to topWho Does What (Friendly Version)
- Board & Executive Leadership — Oversight and approval of major risk decisions.
- Chief Risk Officer (CRO) & Risk Management Committee (RMC) — Run the program, set thresholds, review high items quarterly, and escalate as needed.
- Risk Owners — Usually department heads or project leads; manage risks and update the register.
- Internal Audit — Provides independent assurance and checks compliance.
- Everyone — Stay alert, report concerns, and follow the process.
Example
A lab switches where research data is stored. The PI checks classification, controls, and logs the risk if sensitive data or new vendors are involved.
How Kean Makes Risk‑Based Decisions
We use a clear authority threshold model:
Decision Thresholds
- Low — Department Manager decides; document it.
- Medium — Manager + Risk Manager; notify CRO; monitor.
- High — Reviewed & approved by RMC; track quarterly.
- Critical — Executive Leadership (and sometimes the Board) must approve; formal plan required.
Example
A $200K exposure, a potential vendor breach, or risk of campus‑wide disruption → High or Critical → send to RMC/ELT.
The Risk Lifecycle
Think of it as: Spot → Understand → Decide → Check → Report
A. Spot It (Identify)
Look for risks in projects, operations, vendors, data, compliance, finances, or reputation. Use audits, incidents, vendor assessments, and team feedback.
Example: Upgrading a major system during finals week → operational risk to teaching/learning.
B. Understand It (Assess)
Rate likelihood and impact (qualitative is fine; quantify if you can). Capture assumptions, control strength, and residual risk.
Use tools like qualitative 5×5 matrices or Risk Assessment templates.
Example: Likelihood “Possible,” impact “Major” → overall High; needs a plan and escalation.
C. Decide What to Do (Respond)
Choose Accept, Mitigate, Transfer, or Avoid. High/Critical risks require a plan, owner, and deadline.
Example: For a vendor handling restricted data, require MFA, encryption, and breach clauses; if refused, Avoid or Transfer to another provider.
D. Check on It (Monitor)
Review progress, test controls, and update indicators (incidents, overdue actions, repeat findings). Escalate if risk worsens.
Example: A patch backlog remains High after two quarters → escalate to RMC and tie to budget planning.
E. Report It (Communicate)
- Departments: monthly/quarterly to leadership
- RMC: quarterly dashboards to ELT
- Board: major exposures
The Risk Register (Single Source of Truth)
Kean keeps a central Risk Register for all material risks. Each entry includes: ID, category, description/root cause, likelihood/impact score, owner, strategy, actions, target date, status, timestamps.
Rules for the Register
- Ownership: Risks must have an accountable owner with authority to act.
- Reviews: Quarterly review; update after incidents, audits, or re‑scoring.
- Auditability: Version history, evidence links, and role‑based access required.
How Risk Ties into Planning, Budgets, Procurement & Change
Risk is integrated with annual budgeting, project approvals, procurement, change management, and grant oversight. High/Critical unfunded risks are flagged for executive review.
Examples
- Budgeting: Request funds to remediate repeated audit findings — tie to the Risk Register entry.
- Procurement: Selecting a new SaaS tool? Complete vendor/security review; log material risks.
- Change Management: Major system changes list risks, rollback plans, and mitigation owners; escalate if impacts exceed thresholds.
Digital Risk Is Part of ERM (Not Separate)
Cybersecurity, data governance, third‑party IT risk, and AI are fully integrated into the same risk process—no silos. Supplier risk programs (e.g., SOC 2, HECVAT) connect into ERM reviews and thresholds.
Examples
- Data governance: Misclassification of student data → log the risk, assign actions (relabeling, training), and track to closure.
- AI: Using non‑approved public AI for restricted data → add to the register; mitigation may require approved platforms or anonymization.
Training, Records & Reviews
- Training: Staff with risk duties complete annual training; awareness via campaigns/workshops.
- Recordkeeping: Use approved repositories (e.g., GRC/SharePoint) for assessments, plans, and evidence; retain 7+ years or longer if required.
- Annual Review: Policy and thresholds reviewed yearly or after major events; Internal Audit may spot‑check.
Example
After a severe incident, Kean runs a post‑incident review, updates risks, and adjusts training and controls based on lessons learned.
How We Measure Success (KPIs & Audits)
We track metrics like % of risks with owners/plans, time to remediate high risks, repeat incidents, and exception aging. Quarterly, the Risk Manager reports trends to the RMC/ELT; audits verify that documentation and actions match reality.
Back to topQuick Guide (What to Do When You See a Risk)
- Speak up early — tell your supervisor or risk owner.
- Describe it simply — what could go wrong, who’s affected, and how likely.
- Suggest a path — accept/mitigate/transfer/avoid; note budget/time needs.
- Track it — add or update the entry in the Risk Register (if your area uses it).
- Follow through — close actions and report progress in your unit’s review.
Need Help?
Start with your department head or project lead (risk owner). Contact the Risk Manager/CRO or RMC for High/Critical items or uncertainties.
Back to top``