`

University of Gondar
University of Gondar
P.O.Box 196
Gondar, Ethiopia
Email: info@uog.edu.et
Web: www.uog.edu.et

Risk Management:
Policy and Strategy

Zero Draft

Dec.2024

Table of Contents
1. Introduction-------------------------------------------------------------------------------------------------------------------3
1
2. Purpose and objectives-----------------------------------------------------------------------------------------------------4
2.1 Purpose----------------------------------------------------------------------------------------------------------------------4
2.2 Objectives-------------------------------------------------------------------------------------------------------------------5
3. Scope of the document-----------------------------------------------------------------------------------------------------5
4. Policy statement-------------------------------------------------------------------------------------------------------------5
5. Definitions of Terms-------------------------------------------------------------------------------------------------------6
6. Risk Management Framework----------------------------------------------------------------------------------------------7
7. Risk management procedures----------------------------------------------------------------------------------------------8
7.1 Risk identification and Categories----------------------------------------------------------------------------------8
7.2 Risk analysis----------------------------------------------------------------------------------------------------------11
7.2.1 Likelihood:-----------------------------------------------------------------------------------------------------------11
7.2.2 Impact:----------------------------------------------------------------------------------------------------------------11
7.3 Risk Mitigation----------------------------------------------------------------------------------------------------------11
7.4 Risk Reporting and Communication---------------------------------------------------------------------------------12
7.5 Risk register---------------------------------------------------------------------------------------------------------------12
8. Risk Mitigation strategies---------------------------------------------------------------------------------------------------12
Reduce unneeded cost----------------------------------------------------------------------------------------------------16
Strengthen Internal Policies and Processes--------------------------------------------------------------20
Engage with Stakeholders------------------------------------------------------------------------------------------20
9. Risk Managment Committee----------------------------------------------------------------------------------------------30
10. Duties and responsibilities------------------------------------------------------------------------------------------------30
11. Risk Monitoring & Review of Policy------------------------------------------------------------------------------------36
12. EFFECTIVE DATE-------------------------------------------------------------------------------------------------------------39

2
 1. Introduction

The story of Pharaoh and Joseph in the Old Testament shows that managing risk is not a new
idea. In Egypt, during a seven-year drought, many people had stored up large amounts of corn.
Because of this, they were able to survive the famine by eating the food they had saved. This
demonstrates that dealing with risks and finding solutions is not a new or unusual concept. Or it
is not a modern invention.

Risks are potential events that haven’t happened yet. When we talk about their impact, we’re
referring to what could happen if the risk occurs. Once a risk does happen, it becomes an actual
problem or incident that the organization needs to manage, often using contingency plans and
policies. Because of this, most risk management efforts focus on avoiding, reducing, or
preventing risks before they happen.

In fact, every operation involves some level of risk. However, not all risks are equal—some are
more severe or serious than others. Therefore, risks should be addressed based on their potential
impact or severity. This is one of the purposes behind the development of this document.

In higher education, risks to modern campuses can be both physical and virtual. Physical risks,
such as fires or floods, can still overwhelm even the most technically advanced institutions. On
the other hand, virtual threats/risks—like cyber-attacks from hackers across the globe or viral
misinformation on social media—pose a different kind of danger. Both types of risks can leave a
colleges or university damaged, vulnerable, and struggling to regain normal operations.
However, there is a silver lining: many institutions are increasingly recognizing the importance
of managing these risks and are taking proactive steps to implement strategies that prepare and
protect their campuses in line with Mission, Vision and Strategic Aims of the University.

University of Gondar is one of the higher educations established in 1954. It is one of the
research universities in Ethiopia transforming from a state-controlled university to an
autonomous status based on Higher Education Proclamation1294/2023. This transition will
introduce both opportunities and challenges or risks. As important as enjoying and cherishing the
opportunities, it is also imperative to be prepared for and effectively manage challenges / risks
the university could face both in the short and long run. In this regard, the university has
designed a comprehensive risk management framework and mitigation strategy guide line. This
framework is mainly concerned with key of academic & research operations, governance,
academic integrity, research activities, Community engagement and financial sustainability.

3
Based on this background, the University of Gondar and its affiliated colleges should conduct a
comprehensive assessment of all potential risks facing the institution in line with its Senate
legislation & Mission, Vision, and Strategic Aims.

These includes:

1. Strategic Risks: Risks that could hinder the university’s ability to achieve its long-term goals
and objectives.
2. Financial Risks: Risks that may lead to the loss of assets or financial instability.
3. Operational Risks: Risks that impact the university’s day-to-day operations, including
teaching and administrative functions.
4. Compliance Risks: Risks related to failure to adhere to external laws and regulations, as well
as internal policies and procedures.
5. Reputational Risks: Risks that could damage the university's brand, public perception, or
overall reputation. Common types of risks include: strategic, compliance, financial,
operational, reputational,
6. Security risks: risks which have to do with possible threats to the organization's physical
premises, as well as information systems security and
7. Quality risks: risks which are specifically associated with the products or services that an
organization provides.

Generally, risks are an inherent part of university operations, and effectively managing them is
crucial for the institution's ongoing success, sustainability, and growth. Risk management is an
ongoing process, as universities must adapt to emerging challenges. A proactive and
comprehensive approach, involving careful planning, clear communication, and continuous
monitoring and evaluation, can help mitigate the risks universities face today.

Therefore, this document covers not only risk, risk assessment, and management, but also
provides strategies for mitigating risks. It also includes a policy statement and clarifies the roles
and responsibilities of the board, Council members, the audit Committee, the management team,
deans/directors, and other key individuals. Additionally, it outlines the key components of the
risk management process and specifies the reporting procedures.

2. Purpose and objectives

2.1 Purpose

The purpose of this initiative is to identify and assess the key internal and external risks—both
physical and digital that the University of Gondar is likely to face. This includes evaluating the

4
severity and potential impact of these risks at both the university-wide and individual campus
levels. Based on this evaluation, the initiative will propose specific strategies to mitigate these
risks, aiming to prevent or reduce their effects in alignment with the University’s Mission,
Vision, and Strategic Goals.

2.2 Objectives
The specific objectives derived from this purpose are to:
§ Outline a standardized farmwork for identifying, assessing, measuring, managing, and
communicating the potential risks that may affect the University
§ Develop and propose appropriate mitigation strategies tailored to the specific context of
the University of Gondar.
§ Support the University in making well-informed decisions while fostering accountability
in risk management practices among all stakeholders and members of the University
community, across all levels.
§ Outline and describe the risk mitigation strategies that have been implemented to
address both internal and external risks—whether physical or virtual—at the university-
wide level, as well as at the individual campus level.

3. Scope of the document

This Risk Management Policy and Strategy applies to all members of the University and covers
all functions and activities within the University of Gondar.

4. Policy statement

i. The university is dedicated to integrating effective risk management into all of its
activities, ensuring that comprehensive risk management procedures are established
across the university, supporting a proactive approach to identifying, assessing, and
addressing evolving risks
ii. The University encourages informed risk-taking as a means to achieve its mission, vision,
and strategic goals, while always prioritizing the health, safety, and wellbeing of students,
staff, affiliates, and the public.
iii. The University seeks to minimize risks that could potentially harm its culture of
excellence in research and education, damage its long-term brand and reputation, and
impact areas such as health and safety, regulatory compliance, and financial stability
iv. The university acknowledges its responsibility to manage risks systematically, fostering a
culture that prioritizes awareness and informed decision-making in risk management.

5
 v. The University acknowledges that risk not only presents threats but also creates
opportunities for innovation and improvement in our ways of working. There are also
risks in failing to seek or act on these opportunities when they arise. We encourage the
sharing of innovative ideas and best practices across the University
vi. While the application of risk management practices is essential, it cannot entirely
eliminate all risk exposure. By following the risk management approach outlined in this
framework, we aim to gain a deeper understanding of the risks faced by the campuses and
the potential implications for them. This knowledge will guide and inform our decision-
making processes
vii. Regular meetings are held by the risk lead officers from each concerned unit of the
university, typically every three months, to ensure effective communication and
management of risks.
viii. All university colleagues are required to have a clear understanding of the risks related
findings and the organization’s risk appetite. Furthermore, individuals at all levels of the
university must take responsibility for managing the risks associated with their activities
ix. The Corporate Performance, Financial, and Risk Management Group acts as the
organization's "Risk Forum." Its responsibilities include reviewing, evaluating, and
determining which risks should be escalated for inclusion in the Audit Committee's risk
register
x. The University should be committed to protecting and enhancing its resources and
strategic opportunities through a comprehensive Risk Management Plan and Framework.
The University recognizes that risk management is not only an operational function but
also a crucial element of institutional strategy, budget planning, and project execution
xi. The importance of risk management and its role in guiding the organization has to be
outlined in the concerned bodies of the University along with supporting documents. This
information should also be summarized in the Annual Report and Accounts each year.
xii. The University Management has to be expected to take proactive measures to manage
and mitigate
xiii. University of Gondar has to develop and deploy effective risk management practice to
improve corporate governance and establish a reliable basis for decision-making and
planning
xiv. The University will communicate and implement its principles and practices throughout
the University in a timely, consistent and user-friendly manner.
xv. University of Gondar is committed to ensuring the achievement of this policy through
regular monitoring, audits, and reporting

5. Definitions of Terms
§ Risk. The threat or possibility that an action or event will adversely or beneficially affect
University ability to achieve its goa T
6
§ Risk analysis: The systematic process applied to understand the effect of risk on our goals
and objectives.
§ Risk Evaluation: The e process of comparing the significance of the risks to define the
order in which they should be dealt with.
§ Risk identification: The process of determining risks that could potentially prevent
achieving its objectives.
§ Risk management: The culture, processes and structures that are directed towards the
effective management of potential opportunities and possible adverse effects within the
University’s environment.
§ Risk management framework: A comprehensive set of components that establish the
foundation and organizational structure for designing, implementing, monitoring, reviewing, and
continuously improving risk management processes across the University
§ Risk Management process: The systematic application of management policies, procedures
and practices to the tasks of communicating, establishing identifying, analyzing, the
evaluating, monitoring and reviewing risk.
§ Risk Mitigation: Refers to actions that must be taken to lower the likelihood of the risk
occurring and/or to minimize the impact if the risk occurs.
§ Audit Committee A committee appointed to support the Council/the university leaders in
monitoring the corporate governance and control systems in the organization including risk
management.
§ Exposure The consequences, as a combination of impact and likelihood, which may be
experienced by the organization if a specific risk is realized.23
§ Gross or Raw Risk: The exposure arising from a specific risk before any (or Inherent Risk)
action has been taken to manage it.
§ Internal Control: Any action, originating within the organization, taken to manage risk.
These actions may be taken to manage either the impact if the risk is realized, or the
likelihood of the realization of the risk.
§ Likelihood: The condition of being likely or probable; or the chance of something happening.
§ Monitoring Indicators: Any measure that tell us whether the mitigating actions are having
the desired effect. e.g. KPIs
§ Net or Residual Risk: The exposure arising from a specific risk after mitigating action has
been taken to manage it and making the assumption that the action is effective. (Note this is
reflected on the SRR as a Mitigated Risk Rating.)

6. Risk Management Framework

 The University's Risk Management Framework aims to provide staff with a set of structures and
processes to facilitate the integration of risk management principles into university culture and

7
 provides a systematic approach to identify risks that will face during and after autonomy process
(DAPAP), how big the risks are, why this occurs, and how they can be mitigated.
 The risk management framework essentially focuses on identifying potential risks that
the university could encounter, assessing and mitigating them as effectively as possible
before hampering the functioning of the university at any level.
 The structures and processes ensure that risk management is implemented across all aspects of
the University's business, in accordance with good governance guidelines, quality assurance and
legislative requirement.
 In order to make risk management within the University more efficient and effective, a structured
framework consisting of a policy, plan and mitigation strategy has been developed.

The university of Gondar Risk Management Framework includes the following parts;
a. Risk Policy: the guiding document of the framework that formally outlines the policy
principles, procedures and individual and institutional responsibilities, requirements and
structures imposed by the management, government and other regulatory authorities.
b. Risk Register: principal repository for risks across the University that enables
management to profile risks, monitor controls and priorities treatment actions.
c. University Risk Management Committee: responsible for co-ordination of risk
management within the University.
d. Monitoring and Review: on a regular and needs basis, to enable the University to
confirm that risk management is relevant, effective, sustained and facilitates the
achievement of objectives.
e. Formal Reporting: the University is required to report to various internal and external
bodies, via the university risk register or audit reports and other approved reports

7. Risk management procedures

 Risk management is about identifying and understanding the potential threats, actions, or events
that will adversely or positively affect the achievement of its objectives, then analyzing,
evaluating, and reporting on these risks.
 Effective risk management across the university during and after the autonomy process
will result in stability, safety, and good university governance.
 The university risk management procedure includes: risk identification, risk analysis, risk
evaluation, risk mitigation, and Risk Reporting and Communication.

7.1 Risk identification and Categories

 Risks are inherent in its operations and that managing these risks is essential for ensuring
the university's continued success, sustainability, and growth. Risk management is a
continuous process in which universities must work towards the new challenges.
 An immediate and inclusive approach that includes planning, communication, and
ongoing monitoring and evaluation can help to mitigate risks that face Universities today.

8
The university shall identify specific risks from the following sources:

Table 1: Risk category

Risk Category Specific Risks

Governance and · Lack of Accountability

Leadership Risks · Conflicts of Interest
· Inadequate Risk Management
· Ethical or Compliance Failures
· Ineffective Decision-Making Processes
· Inadequate Communication and Transparency
· Dysfunctional Organizational Culture
· Failure to Adapt to External Changes
· Leadership Succession Risks
· Inadequate Strategic Oversight
Financial Risks · Budget mismanagement or not capable to balance resources post-autonomy.
· Potential legal and regulatory issues regarding financial transparency
· Over-dependence on government funding during the transition period.
· Insufficient diversification of revenue sources (e.g., tuition fees, research
grants, endowments).
· Risks associated with managing tuition fee structures and scholarship
programs.
· Vulnerability to economic fluctuations, especially if reliant on state funding.
Operational Risks · Inadequate infrastructure or facilities to support autonomous functions.
· Technology gaps, including data security and IT systems.
· Lack of effective risk management in day-to-day operations (e.g., staffing
issues, health and safety risks).
Compliance and · Non-compliance with the national accreditation regulations.
Legal Risks · Legal challenges from staff, students, or external parties (e.g., breach of
contracts, intellectual property issues).
· Changes in tax law or regulatory policies affecting university operations
Academic and · Decline in academic standards due to poor management or lack of quality
Research Integrity assurance processes.
Risks · Loss of staff talent and turnover impacting research output or educational
quality.
· Inadequate research ethics or compliance with federal funding rules
· Lack of academic freedom and research independence.
· Insufficient faculty development programs.
· Curriculum misalignment with industry demands or global trends.
· Challenges in maintaining accreditation and international recognition.
9
Technological · Cyber security breaches affecting sensitive student, financial, and research
Risks data.
· Outdated IT infrastructure that cannot support new academic or operational
demands.
· Inefficiencies or disruptions in digital learning environments and online
courses.
Reputational Risks · Negative publicity due to financial mismanagement, legal issues, or poor
student outcomes.
· Public dissatisfaction with tuition increases, service cuts, or leadership
decisions.
· Criticism regarding the university’s social responsibility, diversity, or
environmental impact
Student Enrollment · Decline in student enrollment due to competition, reputation decline, or
and Satisfaction financial limitations.
Risks · Student dissatisfaction due to perceived quality of education or services

Strategic Risks · Inability to implement a strategic vision for long-term growth.

· Weak alignment between academic programs and labor market needs.
· Lack of sufficient planning for international partnerships or global
competitiveness.
External · Changes in funding sources or regulatory requirements by federal or state
Stakeholder Risks governments.
· Withdrawal or reduction of philanthropic support from donors or corporate
sponsors
Political  Campus Protests and Activism
circumstances  Government Policies and Regulations
 Polarization and Campus Divisions
 Funding and Donor Influence
 International Relations and Collaborations
Natural  Pandemics and Health Crises
 Drought and Water Scarcity
 Wildfires
 Extreme Weather Events
Public/professional/  Public Liability
product liability  Professional Liability
 Product Liability

10
7.2 Risk analysis
 Risk analysis is the process of identifying, assessing, and prioritizing potential risks that
could affect an organization’s objectives, operations, or stakeholders. Each risk
identified will be assigned a value for likelihood and impact.

7.2.1 Likelihood:
 Likelihood is the probability that an adverse event, which could cause materialization of
the risk, may occur.
 For every risk identified, a probability score on its likelihood of occurrence will be
assigned. The values to be assigned range from 1-5.
Table 2: Risk level and category
Risk level Risk category Probability of occurrence
1 Very low 5% likely to happen
2 Low 10% likely to happen
3 Medium 20% likely to happen
4 High 50% likely to happen
5 Very High Over 50% likely to happen

7.2.2 Impact:
Impact is the potential loss should the risk materialize. The best measure of impact of a potential
risk is its' impact on the University's strategic objectives. Values to be assigned range from 1-5
with the following explanations attached to each value.

Table 3: Risk Level and Impact

Impact level Risk category Description
1 Very low No impact
2 Low Outcomes from the risk unlikely to cause negative impact
3 Medium Outcomes from risk having negative impact but can be
managed
4 High Outcomes from risk having significant impact that require
major effort to manage
5 Very High Outcomes from risk which if not resolved will threaten the
success of the university

7.3 Risk Mitigation

Universities, including the University of Gondar, are not immune/safe to various threats. As the
institution transitions towards a more knowledge-driven economy, academics face increasing
pressure to align their work with international, national, and societal needs. This shift can have

11
potential long-term consequences. The University of Gondar is not exempt from these challenges
and may encounter risks from multiple directions. Therefore, it is essential to implement
effective risk mitigation strategies to achieve its desired outcomes.

Risk management is a crucial ongoing process for ensuring the university's long-term success,
sustainability, and growth. Universities must adapt to emerging challenges through continuous
risk management practices. An inclusive, proactive approach—one that incorporates planning,
communication, and regular monitoring and evaluation—can help reduce the risks universities
face today. The following are the potential risks identified at the University of Gondar and their
corresponding mitigation strategies.

7.4 Risk Reporting and Communication

The risk management strategy requires effective communication throughout the University to obtain the
relevant information on risks and to fulfill the governance function of ensuring risks are properly
managed and reported. Risk communication comprises of the following documents; Risk registers,
Annual Risk Matrix, Quarterly Risk Map, Ad hoc reporting and Whistle blower's log.

Risk reporting and communication ensures;

 Risk registers are prepared and maintained at all levels.

 Risk communication is done quarterly to the University Council.
 Risk Manager reports to UMB on medium risks quarterly and act as a link between Internal
Audit and the rest of the staff
 Risk Coordinators report to the Risk Manager quarterly and acts as a link between university
units and the Risk Steering Committee.
 The risk policy framework once established is communicated to all staff and their roles.
 Sharing of risk intelligence, management strategies and lessons learnt across university units.
 Each level of management receives regular feedback about the management of risk within their
area of control.

7.5 Risk register

The Risk Manager will maintain a current register of all the risks identified and details of how
risks have been disposed off. This register shall be available for inspection by the Audit
Governance and Risk Committee of Council and the University Management Board.

8. Risk Mitigation strategies

The University of Gondar has a complex educational and research hub university and it tasked
with fostering academic excellence, cultivating intellectual and safeguarding the well-being of
their diverse constituents, including students, faculty, staff, and the institution itself. However,
this complexity also presents a host of potential risks that must be proactively addressed to

12
ensure the well-being of students, faculty, staff, its reputation, customer confidence, continued
viability and success of these institutions.

The University of Gondar has a complex educational and research hub university, and it tasked
with fostering academic excellence, cultivating intellectual and safeguarding the well-being of
their diverse constituents, including students, faculty, staff, and the institution itself. However,
this complexity also presents a host of potential risks that must be proactively addressed to
ensure the well-being of students, faculty, staff, its reputation, customer confidence, continued
viability and success of these institutions.

13
The University of Gondar has a complex educational and research hub university, and it tasked
with fostering academic excellence, cultivating intellectual and safeguarding the well-being of
their diverse constituents, including students, faculty, staff, and the institution itself. However,
this complexity also presents a host of potential risks that must be proactively addressed to
ensure the well-being of students, faculty, staff, its reputation, customer confidence, continued
viability and success of these institutions.
Table 4: RISK, Consequences and Mitigation strategy of UOG at time of Autonomy

S. Specific risk Consequences Mitigation strategy

N Risk of the risk
o s
Cate
gory
1 Gover · Lack of · Power struggles Strengthen Governance Structures
nance Accountability or lack of clarity  Establish a Clear Governance Framework:
and · Conflicts of in leadership Define roles, responsibilities, and
Leade Interest roles. reporting lines for the board, executives,
rship · Inadequate Risk and management.
Risks Management · Ineffective  Separation of Powers: Ensure a clear
· Ethical or decision- distinction between the board's oversight
Compliance making due to role and management's operational role.
Failures insufficient  Independent Boards: Appoint independent
· Ineffective autonomy or board members to provide unbiased
Decision- failure. oversight and minimize conflicts of
Making interest.
Processes · Loss of trust or Promote Ethical Leadership
· Inadequate alignment with  Develop and enforce a robust code of
Communication the Board or conduct that outlines acceptable behavior
and council, for leadership.
Transparency colleges, or  Ensure senior leaders’ model ethical
· Dysfunctional administrative behavior, fostering an ethical
Organizational leadership. organizational culture.
Culture
· Failure to Adapt · Resistance to Improve Decision-Making Processes
to External organizational  Use reliable data and analytics to support
Changes change leadership decisions.
· Leadership  Incorporate risk assessments and
Succession · Lack of vision contingency planning into strategic
Risks decisions.
Inadequate · Leadership  Involve stakeholders in decision-making
Strategic turnover (Collective decision to ensure diverse
Oversight perspectives and transparency.
· Loss of Enhance Leadership Competency
accountability  Invest in training and mentoring to build
leaders' skills and competencies.
· Resistance to  Identify and develop future leaders to
adopting new ensure continuity and reduce risks of
technology leadership gaps.
 Conduct regular evaluations of leadership
· Failure to performance against clear, measurable

14
 protect sensitive goals.
Data Build a Culture of Continuous Improvement
 Encourage a culture of learning from
· Poor allocation governance or leadership failures.
and miss  Regularly update governance practices to
management of align with changing market and regulatory
budget conditions.
 Engage consultants or advisors for
· Ineffective unbiased reviews and recommendations.
leadership

2 Finan · Revenue risk · The University Diversify investment

cial · Cost mgt risk Pushing senior · Diversification is a way to spread risk across
risk · Budget and staffs to seek multiple areas that helps minimize the risk and
cash flow risk employment in volatility of the university business. For
· Investment other instance, this university has well known
and institution or specialized hospital. therefore, if the university
endowment countries. invest on this hospital interterms of providing
risk · The University cost effective advanced medical services to
· External Administration attract patients throughout the country and
funding risk s may beyond. This will improve the incomes of the
· Froude and implement university to be competitor at easy Africa level
miss mgt risk measures that to be center of medical tourism. Furthermore,
· Failure to threaten advancement of agricultural research centers
diverse working and make mechanization of the farm and under
revenue risk condition of the university.
· Unprofitable staffs such as, Diversifying revenue streams:
program Hiring and
salary freezes, · through partnerships with industry,
Salary cuts and international donors, and alumni contributions.
Non renewals Cost Management and Efficiency
of contract
agreement · Conduct regular financial audits to identify
· It might have a inefficiencies.
challenge to · Implement cost-cutting measures without
fulfill the compromising academic quality (e.g., energy-
laboratory saving initiatives, shared services).
equipment to · Automate administrative processes to reduce
improve overhead costs.
quality of Contingency Planning
education and
other services · Build a financial reserve to manage
· Vulnerability emergencies.
to economic · Regularly update risk management
fluctuations, frameworks to account for emerging
especially if threats.
reliant on state · Secure appropriate insurance coverage for
funding. property, liability, and business
interruptions.
Invest in quality assurance (QA)

· Instituting strong QA measures of different

15
 services at the university to make sure services
meet desired quality standard like Checklists,
sampling and supervision throughout the
production process and services that can help
ensure better outcomes of the service.
Reduce unneeded cost
· It important to manage leverage risk by
keeping costs as low as possible to avoid
excess costs, such as unplanned payments to
lower unforeseen challenges.

3 Oper · Academic risk · When Strengthen Internal Controls

ationa (certificate and equipment is
l risks exam process malfunctioning  Develop clear, well-documented standard
· Delay in or unavailable, operating procedures (SOPs).
executing the customers  Segregation of Duties: Separate critical
research risk will receive functions to reduce opportunities for
· Lack of low-quality errors or fraud.
adequate service. This  Automation: Use technology to minimize
infrastructure can lead to manual processes prone to human error.
· Inefficient adverse Employee Training and Awareness
process of outcomes and · Educate employees on compliance, fraud
activities(procur decrease prevention, and operational risk
ements trustworthy of management.
· Low integrity of the university. · Foster a culture where employees take
ICT with · Financial ownership of risk management.
teaching/researc burden: The · Provide secure channels for employees to
h University report operational vulnerabilities.
may have to pay · Providing training for the concerned
extra cost for body(staffs) how to maintain equipment
maintenance, by making an agreement with the factories
furthermore, or importers
expose the · Make periodic maintenance of the
University for equipment
opportunity cost · Develop code of conduct (professional
· Expose the ethics) working document for that
staffs for technicians/expertise who utilize the
different risks equipment improperly
like chemical · Insurance for the equipment
hazard,  Conduct regular internal and external
biohazard and audits to ensure adherence to policies.
radiation  Metrics and KPIs to track improvements
hazard. and areas needing attention.
· Lower standards
of services like
medical
diagnosis.
· Leads to lower
reputability of
the University
 Inadequate
infrastructu
re or
16
 facilities to
support
autonomou
s functions.
 Technology
gaps,
including
data
security
and IT
systems.
 Lack of
effective
risk
managemen
t in day-to-
day
operations
(e.g.,
staffing
issues,
health and
safety
risks).

4 Comp Financial Financial penalties: Establish a Governance Framework

liance compliance risk Fines and penalties  Create compliance Office: Create or
and (Grand miss mgt, can be substantial, strengthen a dedicated compliance office
Legal tax compliance depending on the to oversee adherence to legal and
Risks Employment and severity of the regulatory requirements.
Labor risk violation  Develop clear, accessible, and regularly
Student data privacy updated policies on areas such as data
risk Reputational protection, academic integrity,
Research damage: Customers discrimination, harassment, research
compliance risk can quickly lose ethics, and financial compliance.
Campus safety risk trust and loyalty in  Perform periodic risk assessments to
the service that is identify, evaluate, and prioritize legal and
non-compliant compliance risks.
Strengthen Legal Oversight
Business
interruption:  Engage legal experts to ensure adherence
Disrupted business to relevant laws and regulations.
activities can  Establish a robust review process for
severely limit agreements, partnerships, and research
business production. grants to mitigate contractual risks.
Customers and  Protect institutional Intellectual Property
employees affected and ensure proper licensing agreements
by the violation with external parties.
could sue the Monitor and Audit Regularly
business, resulting in  Conduct regular audits of academic,
further financial and financial, and operational activities to
reputational damage. detect and address gaps.
 Use Key Performance Indicators (KPIs) to
rack metrics such as incident reports,
17
 policy violations, and resolution times.
Focus on Key Risk Areas
 Ensure adherence to research ethical
guidelines, funding agency requirements,
and export control laws.
 Protect student privacy and ensure
equitable treatment in admissions,
discipline, and academic processes.
 Comply with labor laws, including equal
opportunity employment, wage laws, and
workplace safety.
 Monitor financial aid, grants, and
procurement to prevent fraud or misuse of
funds.
 Understand contracts: Ensure and
understand the contracts that the
University sign.
 Stay up to date on regulations: Keep up
with new and changing regulations.

5 Acade · Negligence in Policy Development and Enforcement

mic Supervision  Establish clear policies on academic and
and · Ethical research integrity, including definitions of
Resea Violations in misconduct such as plagiarism, data
rch Human and falsification, fabrication, and unethical
Integri Animal authorship.
ty Research  Communicate policies clearly to all
Risks · Exam stakeholders, including students,
Misconduct researchers, and faculty.
· Data Privacy  Develop strong consequences for
Violations violations to prevent misconduct.
· Research  Implement regular training programs for
Misconduct(une students, researchers, and faculty on
thical or ethical research practices, citation
irresponsible methods, and academic honesty.
practice  Foster an academic environment that
· intellectual values transparency, honesty, and
Property accountability.
Infringement  Encourage open discussions about ethical
(claiming dilemmas in research and learning.
ownership of  Establish mentoring systems where senior
intellectual researchers guide junior members on
property ethical practices.
· Breach of Educational Interventions
Confidentiality Plagiarism Awareness
· Authorship and  Educate individuals about the risks and
Collaboration consequences of plagiarism and how to
Misconduct avoid it.
· Plagiarism .
· Fabrication and Research Methodology Training
Falsification  Offer workshops on sound research
design, data collection, and analysis to
reduce the likelihood of errors and

18
 misconduct.
 Train researchers on reproducibility and
replicability of research findings.
6 Techn · Cybersecurity · Cybersecurity: · Do proper backups system of Information
ologic Threats Universities are technology at the University
al risk · IT often targeted · Adopt a security policy. The University should
Infrastructure by cyber attacks have an IT security policy
Failure · Unplanned · Wipe/replace old Information communication
· Insufficient system technology equipment
Data downtime and · Minimize physical losses of IT devises
Management(I disruption that  Implement robust cybersecurity policies
mproper backup Increased costs (e.g., multi-factor authentication, regular
practices ) due to audits).
· Mismanagemen emergency  Regularly update the systems.
t of Personal repairs, data  Conduct risk assessments and ensure
Data recovery, and compliance with regulations.
· Incompatible legal liabilities.
Systems: New Loss of
technologies customer trust
may not and competitive
integrate well edge due to
with existing compromised
systems service quality
· Over-Reliance · Integrating
on Technology new
technology
into a
business
can be
costly
· Job
Displaceme
nt by
Automation
7 Reput · Negative · Loss of Trust: Identify and Assess Risks
ationa publicity due to A damaged · Conduct risk Assessments: Identify
l financial reputation may potential sources of reputational risk (e.g.,
Risks mismanagement discourage employee misconduct, Graduate student
, legal issues, or prospective quality issues, data breaches, or poor
poor student students from stakeholder communication).
outcomes. applying, as · Monitor Public Sentiment: Use tools to
· Public they may track media coverage, customer feedback,
dissatisfaction perceive the and social media trends to spot emerging
with tuition institution as concerns.
increases, lacking · Evaluate Stakeholder Expectations:
service cuts, or credibility, Understand what matters most the
leadership quality, or customers prioritize the University
decisions. integrity. Strengthen Internal Policies and
· Criticism · Decreased Processes
regarding the Retention  Implement Strong Governance: Maintain
university’s Rates: Current ethical leadership and robust oversight on
social students may decision-making processes.
responsibility, transfer to other  Develop Codes of Conduct: Ensure
diversity, or universities due employees and leaders follow clear
19
 environmental to concerns guidelines for ethical and professional
impact about the behavior.
· Employee institution’s  Enhance Quality Control: Ensure high
Misconduct standing. standards in student development and
· Ethical and · Difficulty service delivery
Social Attracting  Cybersecurity Measures: Protect
Responsibility Diverse Talent: sensitive data and systems from breaches
Failures International or that could damage trust.
(Failing to meet minority Build a Strong Organizational Culture
expectations for students may be  Promote Transparency: Foster a culture of
sustainability particularly honesty, accountability, and openness
· Negative press hesitant to within the University
coverage: attend due to  Empower Employees: Train employees to
concerns about act as brand ambassadors and handle
stability, sensitive situations with care.
inclusivity, or  Encourage Reporting: Implement
global mechanisms to address internal issues
reputation. before escalating.
· It may face Engage with Stakeholders
reductions in  Maintain Open Channels: Build strong
government relationships with customers, employees
support if the and media to foster trust.
University is  Address Concerns Promptly: Resolve
perceived as issues quickly and transparently to reduce
mismanaging long-term damage.
resources or
engaging in
unethical
practices.
· donors and
alumni may
withdraw
financial
support if the
university's
reputation
conflicts with
their values.
· A decline in
enrollment
directly impacts
tuition revenue,
leading to
budget
shortfalls.
· The University
may lose grants
from
government
agencies,
private
organizations,
and
international

20
 bodies
· Partners may
avoid
collaboration
· Decline in
academic
Impact that is
research
opportunities
and
collaborations
diminished
8 Stude · Declining · The · Widen satellite or brand site colleges at
nt Enrollment university the center of the country
Enrol Numbers run out of ü The University will need to increase
lment · Unqualified professors recruitment around untapped student
and instructors, and skilled population groups, whether that’s
Satisf poorly designed labors defined by geography or other
action curricula · The demographics.
Risks · Mismatch in university · Focus and Hone the Degree Programs
Expectations unable to ü Identified degree programs that are
fix some both money-makers and brand-
major builders for the University, the
problems in college under the University may find
society.as it necessary to take a hard look at
community those programs particularly clear
service career path opportunity. Furthermore,
· Decreases this is also true to identify non-degree
trustworthy credentials (Short term training). It
by the might seem that offering a broad
customers range of credentials that relate to
· Financial careers would help and encourage
crisis students who are on the barrier about
committing to a four-year degree.
· Make yearly based grant opportunity for
outstanding students
ü Design a computation platform for
the students for grant opportunity for
postgraduate and tuition fee free
chance for higher scorer
undergraduate students

· Invest in data-driven marketing and

outreach campaigns.
· Revise programs to align with market
needs and trends.
· Streamline the application and enrollment
process.
· Expand financial aid options and
scholarships.
· Regularly update curricula and improve
teaching quality.
· Strengthen student support systems and
accessibility to services.
21
 · Conduct regular student satisfaction
surveys and act on feedback.
· Foster an inclusive and engaging campus
environment.
· Provide career counseling, internships,
and networking opportunities.

9 Strate · Strategic · Inability to · Strategic Planning: Regularly update the

gic Alignment implement a university's strategic plan to address
Risks Risks (Poor strategic vision emerging challenges.
Strategic for long-term · Diversify Revenue Streams: Reduce
Decisions growth. reliance on tuition by pursuing alternative
· Research and · Failing to meet sources like research grants, endowments,
Innovation accreditation and partnerships.
Risks (Reduced standards can · Stakeholder Engagement: Involve
grants for affect the students, faculty, alumni, and external
research institution’s partners in decision-making processes.
projects) legitimacy. · Robust Governance: Strengthen internal
· Difficulty in · Weak alignment policies, risk assessment frameworks, and
attracting and between oversight mechanisms.
retaining academic · Technological Investment: Leverage
talented programs and digital tools to enhance operations and
professors and labor market learning experiences
researchers. needs. · Use data analytics software: This can
· Intense · Lack of help identify patterns, trends, and
competition sufficient potential risk factors.
from other planning for · Establish key risk indicators: Use risk
institutions for international indicator based on their likelihood of
students, partnerships or occurrence and impact level. This can
faculty, and global help increase visibility of risk across the
research competitiveness University.
funding. . · Use proactive risk management: This
· Government · Failure to adapt enables a university to distinguish
Policy Changes to changing between risks and use common risk
(Shifts in external mitigation methods include avoidance,
education environments, reduction, transference, and acceptance.
funding, such as
· Over-reliance evolving
on tuition fees workforce
as a primary demands or
revenue source, global crises.
especially if · Lack of
enrollment alignment
fluctuates. between
research
priorities
and societal
or industry
needs
10 Extern · Compliance · Changes in · Stakeholder Identification and Mapping
al Risks: Non- funding ü Identify and categorize stakeholders
Stake compliance sources or figure out what motivates them. And
holder with regulatory assess impact on the organization.
Risks government requirement ü Prioritize high-risk or high-influence
22
 regulations s by federal stakeholders for focused mitigation
(education or state efforts.
standards, government ü Identify the stakeholders and
funding or s. ü Meet them with scheduled time to help
reporting · Withdrawal or clear and calm conversation to have
obligations. reduction of experience sharing
· Heavy reliance generous
on government support from
funding donors or Proactive Communication and Engagement
· Lack of corporate ü Develop clear, consistent, and proactive
communicatio sponsors communication strategies.
n and ü Address concerns promptly and
engagement transparently to build trust.
with alumni ü Create feedback mechanisms to
· Donors understand stakeholder expectations and
withdrawing grievances.
financial
support
· Misalignment
of Interests
with Partners
· Mismanageme
nt of cross-
cultural
relationships
· Withdrawal of
research
funding by
external
organizations
due to non-
compliance or
shifting
priorities.
· Failing to meet
required
accreditation
standards by
stakeholders.
11 Insec · Protests and · Reduced · strengthening campus security through
urity Demonstration academic surveillance and trained personnel.
or s achievement: · Creating inclusive platforms for dialogue to
unres · Government Violent conflict address grievances.
t policies or can make it · Developing risk management plans for crises
aroun political harder for such as protests or cyberattacks.
d the interference by students to meet · Regularly engaging with local communities
Unive governments the minimum and law enforcement to reduce external
rsity · Sexual score for threats.
Harassment university exit · Offering counseling and awareness programs
and Assault exam. to prevent harassment, drug abuse, and
especially for · Student extremism.
vulnerable cafeteria ·
groups service · Establish standing committee who arrange
· Drug and discontinuation tutorial class for the missed courses and
23
 Alcohol Abuse · Poor learning consecutive mock exam program a head of
· Corruption and environment: exit exam schedule.
Mismanageme Conflict can
nt: negatively · Establish residency area for food service
· Political impact the assistants at student cafeteria
Instability in quality of the
the Country: learning · Establish psychosocial support committee and
environment. scheduled psychological support will be
· Psychological provided to make
distress:
Students may · psychological readiness for any unrest
experience occasions
psychological
distress due to · Establish incidence management board that
exposure to includes higher official of the university and
conflict-related city administration
violence around
the university
· Absenteeism: ü
Conflict can
lead to
increased
absenteeism
among students
and academic
staffs
· University
closures:
Conflict can
lead to long
time University
closures.

·
12 Natur · Wildfires risks · Loss of · Early Warning Systems: Installing hazard-
al · Landslides crops: Any specific alerts.
hazard · Drought natural risk · Infrastructure Preparedness: flood
/risk · Flood might defenses, etc.
· Epidemic/ destroy · Evacuation Plans: Well-rehearsed
outbreak corps in the emergency procedures.
farmland of · Education: Raising awareness among
the students and staff.
University · Collaboration: Working with local
· Damage to authorities for disaster management
agricultural · Appling agricultural Insurance to reduce
infrastructu the impact of disasters
re: this · Agroforestry: to reduce the impact of
natural landslides, and forest fires
disaster can · Planning of emergency preparedness
damage actions like risk surveillance and warning
agricultural systems at the University and conducting
infrastructu emergency response training based on the
re, surveillance finding
including · Stablishing Public health emergency
24
 supply operational center with incidence
systems. management team, when outbreak of
· Loss of diseases in the student cafeteria or in the
livestock: University at large
these
natural
disasters
can cause
losses in
livestock
production
of the
University
· Loss of
livelihoods:
these
natural
disasters
can lead to
the loss of
livelihoods
of the
University
· Epidemic/
outbreak of
diseases
13 Staff Loss of human Create healthy work environment: A strong
turno capital: Brain drain workplace culture can reduce employee attrition
ver can lead to the loss Offer benefits: Employees who receive
of human capital educational and grant wining benefits are more
assets, including loyal and feel valued.
academician, Prioritize employee recognition: Regularly
scientists, doctors, recognizing and rewarding employees reinforces
nurses, and the university values and builds enthusiasm
accountants etc.
Loss of income: competitive compensation: A competitive
The University lose compensation package can help attract and retain
income from taxes top talent
paid by the senior
professors’
international grant
winners, and the
capital invested in
their education.
Prolonged poverty
and
underdevelopment
at large in country
level: Brain drain
can lead to a
reduction in skilled
professionals, which
can prolong poverty
and
25
 underdevelopment
of the county
14 Loose · Poor Loss of trust: ü Enhance Communication and Collaboration
syner communication Employees may lose ü Regular Meetings: Establish regular joint
gy or and trust in the meetings between academic and
integr collaboration university and in administrative staff to discuss challenges,
ity of · Compromised each other, which share updates, and align priorities.
acade Academic can make it difficult ü Communication Channels: Develop
mic Quality to work together. transparent and accessible communication
and · Delayed Poor performance: channels,
admi Program University staffs ü Feedback Mechanisms: Create systems where
n implementation may be less both groups can provide feedback on
staff · Decreased motivated to achieve processes and suggest improvements (e.g.,
Student Universities goals. surveys, focus groups).
Satisfaction Increased turnover ü Define Roles and Responsibilities
· Negative of staffs: Employees ü Clear Role Definitions: Clearly define the
Perception may be dissatisfied roles of academic and administrative staff to
Among with the University avoid overlapping responsibilities or conflicts.
Stakeholders culture and leave the ü Joint Taskforces: Form interdisciplinary teams
· Increased University. for special projects, blending academic and
Turnover Decreased administrative expertise.
· Failure to customer loyalty: ü Align Goals and Vision
Achieve Consumers may ü University Strategic Plan: Ensure all staff
Institutional boycott the understand and contribute to the university’s
Goals University that they overarching goals and vision.
· Inability to perceive as ü Joint Goal Setting: Encourage shared
Adapt to unethical. ownership of initiatives (e.g., improving
Change Financial impact: student satisfaction, research output, or
partners may lose operational efficiency).
confidence on the · Build a Positive Work Culture
university’s ability ü Recognition Programs: Recognize
to deliver the and celebrate successful
activities timely, collaborations between academic
which can lead to and administrative teams.
decreased stock ü Conflict Resolution Mechanisms:
prices Develop a formal structure for
resolving conflicts or
misunderstandings.
ü Team-Building Activities:
Organize team-building events,
such as retreats or informal
gatherings, to strengthen
interpersonal relationships
ü Foster a positive workplace culture
ü Create an environment that values
collaboration, employee growth,
and well-being.
Encourage feedback
ü Make sure people feel safe to express
their opinions and criticisms without
judgment.

26
27
9. Risk Managment Committee
There shall be a Risk Management Committee appointed by the President and Vice Presidents Vice
president. The Committee shall advise Management on:

 The level of exposure for the University.

 The fundamental risks affecting the University and their mitigation mechanisms.
 Appropriate reviews of the risk management policy and business continuity framework for the
University.

The composition of the Risk Management Committee is as follows;

 Vice president for administration

 Registrar
 Human Resources
 Dean of Students
 Head of ICT
 Finance
 Legal
 Head Librarian
 Procurement
 Chief Security Officer Quality Assurance
 However, the committee may co-opt other members as need arises

10. Duties and responsibilities

Duties and Responsibilities

I. University Board of Governance

The University Board of Governanc e Management Board plays a pivotal role in the governance
and oversight of risk management within a university. Its responsibilities in managing risks are
focused on ensuring that the institution proactively identifies, assesses, mitigates, and monitors
risks across all its activities, including academic, financial, operational, reputational, compliance-
related and others risks.

The effectiveness of risk management is linked to management competence, commitment and

integrity, which form the basis of sound Corporate Governance. The University Board of
Governance is responsible for;

28
 · Provide direction and guidance within their areas of accountability so that teams best
utilize their abilities in the preservation of the University's resources;
· Successfully promote, sponsor and coordinate the development of a risk management
culture throughout the University;
· Guide the inclusion of risk management in all strategic, compliance, reporting and
operational decision making;
· Maintain a framework to manage, monitor and report risk;
· Set and monitor effectiveness of control/mitigation strategies and actions plans by
ensuring they are adequately provided for;
· Support the Management of risks to meet University objectives, goals, mission and
vision.
· Provide adequate information in a timely manner on the status of risks and controls.
· Ensure that an annual review of effectiveness of internal controls and reporting to the
University Council is done;
· Assist in the development of benchmarks for achievement of the University mission;
· Initiate and coordinate the review of the Risk Policy Framework every two years and
the Risk Register annually.
II. Managing Councill
The University Managing Councill is ultimately accountable for risk management. The

following are some of the roles and responsibilities of Managing Council;

· Ensuring the development of a policy on risk management which should take into
account sustainability, ethics and compliance risks.
· Setting out its responsibility for risk management in the Managing Council.
· Approving the risk management policy and the risk management framework.
· Delegating to management the responsibility to implement the risk management policy.
· Appointing a committee responsible for risk management. Ensuring that the committee
obtains relevant technical advice where necessary.
· Evaluating the performance of the committee once a year.
· Ensuring that risk assessment is carried out on a continuous basis.

29
 · Receiving assurance from management that the risk management framework is integrated
in the daily activities of the organization.
· Identify and fully appreciate the risk issues and key performance indicators affecting the
ability of the University to achieve its strategic purpose and objectives.
· Ensure that appropriate systems have been implemented to manage the identified risks, to
measure their impact and probability and to proactively manage them. This is to ensure
that the assets and reputation of the University are suitably protected.
· Provide stakeholders with assurance that key risks are being properly identified, assessed,
mitigated and monitor the risk/reward appetite of the University.
· Ensure that a formal risk management policy for the University is maintained, evaluated
and reported as appropriate.
· Adopt and set structures to implement the Risk Based Internal Audit (RBIA) system for
the purpose of internalizing the Enterprise Risk Management framework for the
University.
III. Internal Risk Auditor
Internal risk Auditor shall review the risk management process based on the risk registers in
place, provide an independent and objective assurance as to the adequacy and effectiveness of
the risk management process, and propose improvements where necessary.

The University Internal Risk Audit plays a crucial role in the institution’s overall risk
management framework. Internal risk auditors provide independent and objective assessments of
the effectiveness of the university’s internal controls, risk management processes, and
governance structures. Their work helps ensure that risks are properly identified, managed, and
mitigated across all areas of the university, including academic, financial, operational, and
compliance-related risks.

This internal risk auditor will be responsible for;

· Implement policies on risk management and internal controls;

· Identify and evaluating the significant risks faced by the institution for consideration
by the appropriate Committee and Council;

30
· Monitor the management of significant risks to reduce the likelihood of
unanticipated risks;
· Satisfy the University Council, that the less significant risks are being actively
managed, with the appropriate controls in place and working effectively;
· Develop and institute an audit policy to shift the university to the Risk Based
Internal Audit structure.
· Reviewing and understanding the institution’s risk profile, including strategic,
operational, financial, compliance, and reputational risks.
· Oversee the internal audit process to ensure it is independent, adequately resourced,
and aligned with the institution’s risk profile. The committee reviews the internal
audit’s effectiveness in identifying weaknesses and ensuring compliance.
· Recommend the appointment of external auditors and approve the external audit
plan. The committee should also evaluate the performance and independence of the
external auditor.
· Review the findings of both internal and external audits and ensure management,
takes necessary corrective actions on any identified deficiencies.
· Ensure the accuracy, integrity, and transparency of the organization’s financial
reporting. The committee reviews financial statements before they are published,
ensuring compliance with accounting standards and regulatory requirements.
· Ensure that risk and audit management practices comply with corporate governance
best practices.
· Periodically review the committee's own effectiveness and suggest improvements to
its functioning, composition, or operations.
· Provide independent and objective assessments of the effectiveness of the
university’s internal controls, risk management processes, and governance
structures.
· Guide budgeting and procurement plan policy and activities of the University and
rationalize investments.
· Set up audit frameworks and audit the risk management activities in the entire
University as part of their normal Risk Based Internal Audit (RBIA) audit mandate.

31
· Evaluate the design and implementation of the university’s risk management
processes. They assess whether risks are being adequately identified, assessed, and
mitigated by the relevant university departments or units.
· Reviews the response strategies and internal controls put in place to mitigate
identified risks. This ensures that controls are functioning as intended and effectively
reducing the likelihood and impact of risks.
· Evaluates the university’s internal control systems to ensure they are properly
designed and operating effectively. This includes controls related to financial
reporting, academic processes, procurement, IT systems, and compliance with
policies and regulations.
· Conduct audits and control tests to determine if the internal controls in place are
effective in preventing or mitigating risks, such as fraud, operational inefficiencies,
and regulatory violations.
· Provide recommendations for strengthening or redesigning them to reduce risk
exposure If internal controls are found to be ineffective, This may include
recommending new control processes, policy revisions, or adjustments to existing
procedures.
· Reviews the university’s compliance programs, ensuring they are effectively
designed and implemented to address legal and regulatory obligations.
· Assess the university’s vulnerability to fraud and misconduct. They evaluate
systems, policies, and controls that are in place to detect and prevent fraudulent
activities, such as misappropriation of funds, falsification of academic records, or
procurement fraud. When fraud or unethical behavior is suspected or reported, the
internal audit may investigate the matter and provide a detailed report with findings,
recommendations for corrective action, and preventive measures.
· Reviews anti-fraud policies and procedures, ensuring that they are adequate and
effective in mitigating the risk of fraud across the university.
· Evaluates the university’s business continuity and disaster recovery plans, ensuring
that they are comprehensive and up-to-date, particularly in the event of major
disruptions (e.g., pandemics, natural disasters, cyber incidents).

32
 · Report their findings and provide recommendations to senior management and the
Audit Committee. This ensures that governance bodies are informed of critical risks
and can take necessary actions.
IV. Other Employees

The other employees of a university (i.e., faculty, staff, and administrative personnel) play a
critical role in the institution’s risk management efforts. While the University council, Risk and
audit Committee and University managing council typically oversee and design risk management
strategies, the implementation and day-to-day execution of risk management practices depend on
employees at all levels. The involvement of all employees ensures that the university’s risk
management framework is effectively applied across all areas of the institution, from academic
departments to student services and administrative functions. The following are some of the
responsibilities of employees;

 Participate in identifying potential risks in their areas of responsibility, such as safety

hazards, operational inefficiencies, or academic integrity issues, and promptly reporting
them to the appropriate authorities.
 Understand the risks related to their specific roles and the wider university operations,
including financial risks, compliance risks, cyber security threats, health and safety risks,
and academic risks.
· Contribute to fostering a culture of risk awareness across the University by being
proactive and encouraging colleagues to identify and discuss risks openly. This helps
create an environment where risk management is embedded in everyday activities.
 Adhering to the university’s established policies and procedures, particularly those
related to risk management, safety, data protection, and ethical conduct. This ensures that
risks are mitigated through consistent behavior and adherence to institutional guidelines.
· Follow strict guidelines to manage financial risks, maintain data security, and protect
sensitive student, staff, and research data in accordance with privacy laws. E.g employees
in finance, IT, or research

33
  Report any risks, hazards, or non-compliance they observe to their supervisors or the
designated risk and audit committee. This includes reporting issues like financial
irregularities, safety concerns, cyber security threats, or unethical behavior.
 Collaborate with colleagues and departments to discuss risks, share information, and help
identify effective solutions. This collaborative approach ensures that risks are managed
from multiple angles and improves the overall risk management framework.
 Participate in risk management training programs provided by the university, which can
help them understand their roles in managing risks and become familiar with risk
mitigation strategies. Continuous education and training can improve risk awareness and
preparedness across the institution.
 Provide constructive feedbacks which help to improve the effectiveness of existing risk
management practices and suggest improvements to policies, procedures, or
communication channels.

11. Risk Monitoring & Review of Policy

A risk monitoring and review policy is a planned part of the risk management process that
involves regularly checking and reviewing risks and their potential impact on the university. It's
a critical aspect of the risk management process that ensures everything is working effectively
and efficiently and shall be checked by the concerned body to manage risks in the university
regularly.

The risk management committee shall regularly review risks identified in the university’s risk
register document. The concerned body shall document any actions or events that change the
status of a risk in the university, for example the following activities shall be performed:

 Changes to a risk evaluation as a result of improvements in controls

 A control breach and near miss should be logged at the time of the event
 A new risk that has been identified.
The risk committee and the responsible body should review the risk register on a regular basis,
such as at a monthly partners’ meeting, to determine if any remedial action needs to be taken
immediately.

34
The university's monitoring and review processes shall encompass all aspects of the risk
management process for the purposes of:

 Ensuring that controls are effective and efficient in both design and operation
 Obtaining further information to improve risk assessment
 Analyzing and learning lessons from risk events, including near-misses, changes, trends,
successes and failures
 Detecting changes in the external and internal context, including changes to risk criteria
and to the risks, which may require revision of risk treatments and priorities
The risk management committee shall do the following tasks when monitoring and review the
risk policy and strategy:
o Record every risk occurred and report results to the concerned body
Record and report the results of the monitoring and review process internally and externally as
appropriate.

o Use a risk register

The committee shall use risk register which is a document or database that tracks risks and the
actions taken to address them. It's a key tool for risk monitoring and reporting.

o Review control measures made by the university

The committee shall review control measures regularly, especially when a new risk or hazard is
identified, or when a control measure isn't effective.

o Update plans and strategies

Update plans and strategies as needed based on the results of the monitoring and review process.

The Internal risk Audit has a responsibility to provide assurance on the effectiveness and
adequacy of risk management activities in the university to assist the management of University
of Gondar in improving governance and internal controls.

The Internal risk Audit body of the university shall report to the risk managing council, then the
managing council to the bord of risk governance in order for the Governing Council of risk to be
properly informed of the status of risks facing the University, all outfits of the University are
required to report regularly on risks assessed and steps taken to manage them. Reports of all

35
outfits setting out the University’s major risks and actions being taken to manage them are to be
consolidated by the Committee. The consolidated reports are to be submitted to the Governing
Council each quarter utilizing a standard format that details all identified significant risks.

The University’s Risk Register document provides an integrated platform for monitoring all
levels and categories of risk. Regular risk monitoring and review is shall be conducted to inform
management decisions, enabling adaptive management and course corrections.

The results of monitoring and review must be recorded and reported as appropriate and be used
as a regular input to programme and risk management decisions, audits, and organizational
performance. While risk monitoring is customized to the specifics of each risk, the Risk Register
needs to be updated if new information becomes available that effects the identification, analysis,
evaluation and identified treatment measures.

Real-time monitoring opportunities and threats should be considered in rapidly changing

contexts to provide an early-warning mechanism and enable proactive response. In addition, the
status and effectiveness of treatment measures needs to be monitored for Moderate, Substantial
and High-level risks and included in programme and project management monitoring plans and
budgets.

The risk policy and strategy should be periodically reviewed and updated to reflect changes in
the internal and external environment, regulatory requirements, and internal operations. This
review process ensures that policies remain relevant and are capable of addressing new or
evolving risks. It also involves evaluating the performance of risk controls and determining
whether they are achieving the desired outcomes. Through regular policy review and risk
monitoring, the university can improve its resilience, better manage uncertainties, and enhance
decision-making to maintain operational stability and safeguard its assets.

This Policy and strategy document shall be reviewed by the University Council from time to
time as may be necessary.

36
12. EFFECTIVE DATE

This policy shall be effective from the date of approval by Council

37