University Risk Management Topics Assigned to BACKGROUND In 205, OSU senior leaders initiated a project titled, University Risk Management. The project is a best practice activity designed to further assist Oregon State University in meeting strategic, operational, compliance, and financial objectives. The goals of the project are to: Identify top risks that may hinder OSU s ability to achieve the objectives outlined in Strategic Plan 3.0; Implement activities intended to mitigate each risk identified; and, Provide senior leadership and the Board with a tool to monitor progress in implementing the risk mitigation activities. As part of this effort, in concert with key University stakeholders, the University s senior leaders evaluated the top risks they had identified, considering industry and external influences, prior OSU experiences, and the current OSU environment. In January 206, these efforts resulted in a presentation to the Executive & Audit on the subject, highlighting the issues most likely to hinder OSU s ability to meet University-wide objectives. In March 206, the Executive & Audit (EAC) reviewed a model for developing action plans to mitigate the top risks and, advised by staff, assigned the risks to the various Board s based on alignment with each s charter and work load. Attachment provides an initial draft of the action plans for each risk topic assigned to the EAC. The summary documents are intended to provide campus leadership and the Board with information to monitor progress. The action plans will continue to be refined over the next year, especially with regard to metrics and goals. NEXT STEPS Staff will provide updates to the on progress for each risk action plan over the next year. In addition, the will discuss how to incorporate follow-up and discussion of these action plans in their 207 work plan. September 2, 206 Executive & Audit Meeting Page
Attachment Discussion Draft Oregon State University University Risk Management 206-7 Priorities All Hazard Planning Board Risk Topic University Goal Type(s) of Risks to be Prevented Risk Owner(s) Primary Risk Strategy(ies) Risk Team Executive & Audit All Hazard Planning A safe environment for the OSU community through swift and adequate response to emergencies Operational (safety),, Financial, Reputational Provost, VP for Finance and Administration (VPFA) Reduce, Share/Insure, Accept Emergency Planning, Chief Risk Officer Director of Department of Public Safety, Oregon State Police, Vice Provost for Student Services, Chief Officer Plan Objectives to Achieve Goal Actions to Satisfy Objectives Status Report. Develop and implement updated university Emergency Operations Plan (EOP) 2. Institute training on emergency protocols a. Convene a university committee to update EOP b. Seek approval and adoption of EOP by the Provost and VPFA c. Create a communication protocol for EOP a. Establish and implement a list of baseline trainings for OSU emergency personnel and the OSU Incident Management Team (IMT). September 2, 206 Executive & Audit Meeting Page 2
3. Test emergency response programs 4. Raise awareness of all relevant parties b. Establish and implement outreach communications to inform all OSU staff and students of proper procedures in emergencies. a. Conduct emergency drills of major disaster events at OSU campuses a. Conduct survey of employee and student regarding plans, protocols, and training drills Performance Metrics Metric Current Measure Goal Comments. Number of OSU emergency personnel and OSU Incident Management Team trained Percentage of IMT trained 00% 2. Number of training drills Clery required Surpass Clery drill requirements and include all 3 OSU campuses 3. Number and schedule of awareness notices distributed Two per month 00% Provide Status Report Plan Review and Report Schedule Action Group Completion Date or Frequency of Action Campus Executive Quarterly Approval of plan Provost, VPFA Winter 207 Discuss annual progress report Review annual progress report; schedule educational and discussion items as identified in the committee s annual work plan Cabinet Academic Strategies Comments In advance of annual report Executive & Audit August 9, 206 Academic Strategies Meeting Page 3
Attachment Discussion Draft Oregon State University University Risk Management 206-7 Priorities Information Technology Security Board Risk Topic University Goal Type(s) of Risks to be Prevented Risk Owner(s) Primary Risk Strategy(ies) Risk Team Executive & Audit Information Technology (IT) Security Efficient IT systems that meet strategic needs and ensure continuity of service to the campus Operational,, Financial, Reputational Provost, Chief Information Officer (CIO) Accept, Reduce, Share/Insure Chief Information Security Officer, AVP Infrastructure and Operations, Director of Enterprise Computing, IT Security Plan Objectives to Achieve Actions to Satisfy Objectives Status Report. Identify risks a. Establish a methodology for identifying IT risks b. Perform annual assessment of systems and infrastructure c. Communicate results to Campus Executive 2. Develop priorities a. Develop an IT security plan that outlines the strategies for mitigating high-risk areas b. Review the plan with information security committee annually c. Concurrent with planning activities above, implement immediate actions identified in the assessment. 3. Communicate security standards a. Communicate and publish new and updated policies related to: Data management September 2, 206 Executive & Audit Meeting Page 4
Acceptable use Network Incident response Metric. Percentage of critical business processes and IT services identified and risks assessed against industry standard benchmarks. 2. Percent of critical risks with completed action plans. Performance Metrics Current Measure Goal Comments Action Performed IT Security Audit CIO Presented to EAC about Information Security Planned Follow-Up Audit IT Security Plan Update Discuss annual progress report Review annual progress report, including trends and significant incidents; schedule educational and discussion items as identified in the committee s annual work plan Plan Review and Report Schedule Group Office of Audit Services Executive & Audit Office of Audit Services Campus Executive Cabinet Executive & Audit Completion Date or Frequency of Action May, 205 May 28, 205 October 206 Fall 206, Quarterly Afterwards Comments In advance of annual report to Executive & Audit September 2, 206 Executive & Audit Meeting Page 5