Fiscal Resources - University of Dubai · Management (ERM) 1 Purpose: To define risk management and...

UD Policies & Procedures |Fiscal Resources

Fiscal Resources

No. : FR 8.5

Date : December 16, 2013

Subject : Risk Management Policy - UD Policy on Comprehensive Enterprise Risk

Management (ERM)1

Purpose: To define risk management and the responsibility of the University.

Responsibility:

Cross Reference:

UD Management

-

ERM Concept Comprehensive Enterprise Risk Management (ERM) is an integral part of sound management practice and an essential element of good corporate governance, as it improves decision-making and enhances outcomes and accountability enterprise-wide. The intent of this policy is to ensure that the University makes informed decisions with respect to the activities that it undertakes by appropriately considering both risks and opportunities. In this regard, University of Dubai (UD) has taken the following steps for the first time by setting policy guidelines for comprehensively managing risk UD-wide. While setting these guidelines, UD utilizes the existing IE framework and KPIs for UD faculty and staff besides the scholarly resources stated in footnote-1. These resources provide the basis for:

- more confident and rigorous decision-making and planning; - better identification of opportunities and threats; - pro-active rather than re-active management; - more effective allocation and use of resources; - improved incident management and reduction in loss and the cost of risk; - a clear understanding by all staff of their roles, responsibilities and authorities for managing

risk; - improved compliance to CAA standards; - better corporate governance; and - the development of a more risk aware organizational culture through enhanced

communication and reporting of risk. Policy Objectives

- To confirm and communicate the University’s commitment to risk management to assist in achieving its strategic and operational goals and objectives.

- To formalize and communicate a consistent approach to managing risk for all University activities and to establish a reporting protocol.

- To ensure that all significant risks to the University are identified, assessed and reported to the University in a timely manner through the University’s Audit & Risk Management Committee (ARMC).

1 This policy has been developed by using the following scholarly resources:

a. Ananth Rao, “Evaluation of Enterprise Risk Management (ERM) in Dubai – An Emerging Economy”, Risk Management – An International Journal, Vol.9, # 3, July 2007, pp 167-187.

b. Risk Management Process - Overview, “Risk Management Guidelines Companion to AS/NZS ISO 31000:2009AS/NZS ISO 31000:2009”

UD Policies & Procedures |Fiscal Resources 2

- To assign accountability to all staff for the management of risks within their areas of control. - To provide a commitment to staff that risk management is a core management capability.

Common definitions in ERM UD will adopt a consistent terminology (Appendix-1) consistent with the Australian/New Zealand Risk Management Standard (AS/NZ ISO 3 1000 2009) to ensure effective communication and stakeholder awareness of risk and risk management within the University.

ERM Approach at UD Risks at UD will be managed as per the UD-IE framework but modified to ERM context and is displayed in Chart 1 followed by a small explanation of each stage:

Chart 1: Risk Management Process

Establishing the Context Understanding the strategic and organizational context against which the University’s risks will be considered requires an understanding the university’s internal, organizational environment and external relationships involving following steps: Stage-1 Risk assessment This stage involves the overall process of risk identification, risk analysis and risk evaluation. Risk Identification This involves identifying risk sources, areas of impacts, events, causes and possible consequences to form a comprehensive list of risks based on those events that might create, enhance, prevent, degrade, accelerate or delay the achievement of objectives. The University has adopted a comprehensive process to identify the strategic, operational and project related risks that form part of its overall risk profile as in Table-1:


Table-1: RISK CATEGORIES AND SUB-CATEGORIES

1. Corporate Information Benchmarking; Data: access, availability, quality, security, transfers and storage; Records and information management; Brand management; False and/or misleading statements; Marketing; Public relations; Reputation; Social networking websites; Unauthorized release of information; Internal communications; and Web development.

2. External Relations Contract management; Procurement and tenders management; Agent and student recruitment; Alignment of objectives; Commercial activities and operations; Relationship Management: Community, Government and Business; Consultancy activity; Contract Management; Contracting and contract review; Partner institutions; Political and regulatory change; and Probity and equity.

3. Financial Budgeting and planning; Cash flow and liquidity management; Cash handling and control; Cost benefit analysis; Expenditure management; Efficient and effective administration; Financial accounting and reporting; Funding arrangements; Foreign exchange management; Management accounting and reporting; Payment and payables; Purchasing; Revenue management; Treasury and investment management; Donations.

4. Governance Planning; Alignment of objectives; Audit; Compliance management; Committee effectiveness; Controlled entity governance; Delegations and authorities; Fraud and corruption prevention and control; Fraud investigations; Enterprise Risk management; Insurance program management; Procedures, processes and rules management; Policy management; Project management; Property valuations; Regulation and legislation; Complaints management; External reporting; and Regulation and legislation.

5. Human Resources Casualization; Employee & industrial relations; Enterprise bargaining; Equity and diversity; Leave management; Paid Outside Work; Performance management; Recruitment and appointment; Remuneration, payroll and superannuation; Staff attraction and retention; Staff development and training; Succession and workforce planning; Workplace culture and behaviors; Workforce planning; and Workload Management.

6. Information Technology Disaster recovery; Hardware and hardware support; Infrastructure management; Network management; Security; Service Levels; System effectiveness; System software; Telecommunications; Vendor and relationship management; and

Web development.


7. Occupational Health and Safety Hazard management; Induction; Manual handling practices; Rehabilitation and injury management; Staff stress and work related fatigue; Workers compensation management; and Workplace safety.

8. Property and Infrastructure Asset and property services; Asset Management and Maintenance; Building security; Business Continuity Management; Campus parking; Campus planning; Campus security; Critical Incident Management; Emergency Management; Fleet management; Infrastructure planning; Utilities management; Air emissions; Contamination and pollution; Environmental Management, Conservation & Planning; Noise; Sustainability targets; and Waste disposal.

9. Research Ethics; Funding; Grant administration; Reputation; Supervision; Research Commercialization and Student load; and Student Attraction and retention.

10. Students Enrolment and admission processes; Equity and diversity; Examinations and assessments; and Student experience.

11. Teaching and Learning Academic integrity; Accreditation; Admission criteria; Casualization; Competitiveness; Curriculum e-learning/flexible learning; Student support, health and wellbeing; Student Scholarships and Prizes and

Student load/ Student Attraction and retention.

Risk Analysis Involves considering the range of causes, sources of risk, consequences and likelihood to produce a risk rating. The rating can then be used to determine further risk management by the University. Risk Analysis considers the range of potential consequences. Risk analysis measures bigger risks from smaller risks. The UD’s appetite for risk and the criteria against which risk is assessed and evaluated has been established in consideration of the context, and has resulted in the Risk Matrix listed in Table-2.

Table-2: UD Enterprise Risk Management Matrix

LIKELIHOOD

CO

NSE

QU

ENC

E

Severe LOW MEDIUM HIGH EXTREME EXTREME

Major LOW MEDIUM MEDIUM HIGH EXTREME

Moderate LOW LOW MEDIUM MEDIUM HIGH

Minor LOW LOW LOW MEDIUM MEDIUM

Insignificant LOW LOW LOW LOW LOW

Rare Unlikely Possible Likely Almost Certain


The risk rating determines if the risk requires further management by the University. Consequence and likelihood are combined to produce a risk rating. This is achieved by applying criteria in the Risk Management Matrix to determine the level of risk to the University. These criteria include the following:

- Likelihood of the risk, which reflects how often a risk may occur; - Consequence defines the actual/potential impact that would/might occur;

When assessing a risk, consideration is given to general management controls that may already be in place, such as: Management systems and structures; Reporting; Delegations; Audit plans and/or Periodic (formal) reviews; Insurance; Training; Process/procedures; Policies; Contract Conditions; Design specifications; Supervision / Testing; Monitoring/quality assurance; and Segregation of duties. Risk Evaluation The level of risks identified during risk analysis, rank and prioritizes risks according to a consistent overall ranking and rating system. Risk evaluation involves risks being ranked and prioritized according to a risk rating. This enables risk management decisions to be made based on the outcome of risk analysis. Management priorities and cost/benefit analysis will ultimately determine how risks will be prioritized for treatment. UD’s risk prioritization is depicted in Appendix-2. Stage-2 Communicate and Consult In this stage, effective internal and external communication and consultation to improve general understanding of risk management will be delivered through: Engagement Strategy; Regular presentations and briefings; Regular liaison with both internal and external stakeholders; Risk workshops; Reporting; Risk review processes and Training and awareness. Stage-3 Risk treatment This stage involves selecting one or more options for managing risks.

- For Extreme and High rated risks, UD will expect active management, regular monitoring and reporting on these risks and their associated action plans, with a target resolution of the risks between 6-12 months.

- As Medium and Low rated risks are more tolerable, UD expects monitoring and review of these risks periodically, with resolution planned for within 24 months.

There a number of possible options for treating risk: 1. Accept the risk: this may be appropriate where a risk is regarded as unavoidable, associated

with pursuing an opportunity, tolerable with no available treatment plans. 2. Reduce the Likelihood or Impact of the risk by introducing a new treatment plans. 3. Transfer the risk: This requires the partial or complete responsibility for the impact of the

risk being transferred or shared between parties (internal/external). (e.g. insurance; joint ventures etc)

4. Avoid the risk: Avoid involvement in the activity, or the remove the risk source that raises the University’s exposure to the risk.

Selecting the most appropriate risk treatment involves balancing the costs and efforts of implementation against the benefits derived. UD’s risk treatment is depicted in Table-3.


Table-3: UD Risk Management Action

EXTREME

- An “extreme” risk may be unacceptable; - Senior staff consideration is required; - A detailed mitigation plan must be developed; - Regular monitoring and reported on to the relevant management/steering committee; - Target resolution should be within 6 months.

HIGH

- A “high” risk may be unacceptable; - senior staff consideration is required; - A mitigation plan should be developed; - Regular monitoring and reported on to the relevant management/steering committee. - Target resolution should be within 6 to 12 months.

MEDIUM - A mitigation plan must be developed; - Existing controls, consequences and likelihood do not substantially change. - Target resolution should be within 12 to 24 months.

LOW - Risk is tolerable; - Manage by well established, routine processes/procedures and be mindful of changes to

nature of risks.

Stage-4 Monitoring and review: UD is constantly changing and hence UD needs to continually monitor and review its risks and the effectiveness of its management of risk over time. The periodicity of risk review will be determined by the risk rating, with higher rated risks and associated controls/risk mitigation strategies reviewed more often. Risk monitoring and review will:

- Ensure risks appropriately reflect the reality of UD’s operating environment and risk appetite and tolerance levels.

- Involve the review of risk ratings (likelihood & consequence). - Involve a review of the adequacy and effectiveness of existing risk controls / treatment plans

and recommend changes to treatment priorities & timeframes. - Identify emerging or new risks - Include consideration of the appropriate “responsible person(s)” for ongoing monitoring and

review of risks within UD’s risk register/ERM system. Roles and Responsibilities

- The University Academic Affairs Council (AAC) will oversee Stage-1 and 4 of risk management process across the University.

- All unit heads (both academic and non-academic) will implement all stages of risk management framework into their respective business operations; for ensuring that staff understands their responsibilities with respect to operational risk management; and for developing a risk aware culture within their area of responsibility.

- The Audit and Risk Management Committee (ARMC) will advise the AAC in relation to its functions. The ARMC is responsible for: Continuous improvement of the University's Risk Management approach, Ensuring the implementation of risk management through training, workshops and

providing assistance when required, Assisting University staff conduct risk assessments where necessary

- ARMC shall monitor implementation of the ERM System to improve UD’s ability to record, track and report on risks in the UD risk register.

- The risk metrics appropriate to the area will also form part of KPIs for academic and non-academic staff.


Plan of Action: 1. Conduct series of workshops for faculty and staff across UD to develop ERM culture amongst the

operatives. Due date: To be completed by April 2014. 2. Develop a key risk register. Prioritized risks at UD as grouped in Table-1 are detailed in

(Appendix-3) for implementation and monitoring. a. Prioritize the risk b. Assess the current status of risk

c. Assess internal control measures/mitigation already in place

d. Assess residual risk

e. Monitor residual risk after risk treatment


APPENDIX 1- DEFINITION OF TERMS

The following terms shall, unless the context otherwise requires, have the meaning given to them

here:

AS/NZ ISO 31000:2009 The Australian / New Zealand Risk Management standard to which the University of Dubai ERM policy aims to adhere to.

Assurance A process that provides confidence that planned objectives will be achieved within an acceptable degree of risk.

Audit & Risk Management Committee (ARMC)

A standing committee of the University of Dubai, responsible for providing oversight of the University’s management of risk.

Operational Risk Those risks that arise in day to day operations; uncertainties concerning to the satisfaction of operational objectives.

Communication and consultation

Continual and iterative processes that an organization conducts to share information about managing risk.

Consequence The outcome of an event affecting objectives.

Enterprise Risk Management (ERM)

The system within which risk information will be contained and maintained UD-wide.

Establishing the context Defining the external and internal parameters to be taken into account when identifying a risk.

External context External environment in which the organization seeks to achieve its objectives.

Event Occurrence or change or a particular set of circumstances.

Control Any action taken to manage risk. These actions may be taken to manage either the impact of the risk if realized, or the likelihood of the risk.

Internal context Internal environment in which the organization seeks to achieve its objectives.

Level of risk The magnitude of a risk or combination of risks, expressed in terms of the combination of consequence and their likelihood;

Likelihood Chance of something happening.

Loss Any negative consequence, financial or otherwise.

Monitoring Continual checking the status of a risk and the impact of mitigation strategies.

Residual risk The risk remaining after risk treatment

Review Activity undertaken to determine the suitability, adequacy and effectiveness of the subject matter to achieve established objectives.

Risk Effect of uncertainty on objectives.

Risk Acceptance An informed decision to accept the consequences and the likelihood of a particular risk.

Risk Analysis Process to comprehend the nature of risk and to determine the level of risk.

Risk Assessment The overall process of risk identification, risk analysis and evaluation.

Risk Appetite The amount of risk that the University is prepared to accept or be exposed to at any point in time.

Risk Attitude Organization’s approach to assess and eventually pursue, retain, take or turn away from risk.

Risk Avoidance An informed decision not to become involved in, or to withdraw from, a risk situation.

Risk evaluation Process of comparing the results or risk analysis with risk criteria to determine whether the risk and/or its magnitude are acceptable or tolerable.

Risk Evaluation The process used to determine risk management priorities by comparing the level of risk against predetermined standards, target risk levels or other criteria.

Risk Identification Process of finding, recognizing and describing risk.

Risk Owner Person or entity with the accountability and authority to manage risk.

Risk management framework

The set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organization

Risk management plan The scheme within the risk framework specifying the approach, the management components and resources to be applied to the management of risk.

Risk Management Program

The University's policies, procedures, systems and processes concerned with managing risk

Risk Management Policy Statement of the overall intentions and direction of an organization related to risk management.

Risk Management Process Systematic application of the steps: communicating, consulting, establishing the context,


Appendix-2 University of Dubai Risk Matrix Consequence scale

General Compliance/Legal Employee/HS&E Financial Reputation Service levels

Insignificant - Some localized inconvenience, but no impact to the University.

- Absorbed within business running costs

- Breach of legislation, contract, rule or policy that does not have any penalty or litigation impact.

- Localized morale issues or potential employment continuity concerns.

- HS&E incident reported but not requiring follow up action

less than 1% of budget

- Issue resolved promptly by operational management processes.

- Minimal or no stakeholder interest

Loss of less than one day’s teaching, research and/or business functions

Minor - Disruption to operations with no permanent or significant effect on University

- Breach of legislation, contract, rule or policy that may have an impact on the relationship with the third party or the legislator, but no long lasting effect.

- No litigation or prosecution and/or penalty

- Regulatory consequence limited to standard inquiries

- Continuity of employment concerns localized to one faculty/division

- HS&E incident requiring medical attention or explanatory report.

1 to 2% of budget

- Issue raised by students and/or local press

- Adverse local public or media attention and complaints.

- Reputation is adversely affected by a small number of affected people

loss one full day of teaching, research and/or business functions

Moderate - Some impact on the university’s operational performance

- Less impact on strategic goals in the medium term.

- Breach of legislation, contract, rule or policy leading to escalated legal enquiries

- Regulatory or legal consequence limited to additional questioning or review by legislator.

- Continuity of employment concerns across the University

- HS&E incident requiring significant medical

reported and investigated

2-5% budget - Student and/or community concern

- National media coverage and external criticism

- Reputation impacted with some stakeholders

Loss of 1-7 days of teaching, research and/or business functions

Major - Significant effect on operational performance

- Will require operational resource reallocation (financial, assets and /or people) to manage and resolve in the medium term to

- Breach of legislation, contract, rule or policy leading to possible legal action

- Possible litigation or criminal prosecution and/or penalty

- External enquiry or regulatory review and/or possible negative sanction by a regulatory body.

- Significant (up to 15%) loss of staff contained to one faculty / division

- Widespread damage to

event causing serious injury, or negative environmental impact, and the relevant external authority notified

5-10% budget - Loss of student confidence in a School or Faculty

- Sustained adverse national media and public coverage

- Reputation impacted with a significant number of stakeholders

- Breakdown in strategic and or business

Loss of two weeks to two months of teaching, research and/or business functions


avoid non achievement of strategic goals

partnership

Severe - Achievement of operational and strategic goals in the medium term jeopardized

- Existence of the University under threat

- Breach of legislation, contract, rule or policy leading to significant and costly legal action with widespread potential impact for the University

- Litigation or criminal prosecution and/or substantial major negative sanction by a regulatory body

- Significant loss of staff extending to the entire university (over 15%)

- HS&E event causing serious permanent injury, death or environmental impact leading to costly action and widespread impact on the University and/or senior staff

Over 10% of budget

- Loss of student confidence in the University

- Reputation and standing of the University affected nationally and internationally

- Serious public outcry and/or international

impacted with majority of key stakeholders

- Significant breakdown in strategic and or business partnerships

Loss of over two months of teaching, research and/or business functions

Likelihood Scale Rare Unlikely Possible Likely Almost Certain

Likelihood Only in exceptional circumstances

Small chance of occurring at some time

Might occur at some time

Will probably occur in most circumstances

Expected to occur or a common occurrence

Controls Environment

Testing results were either completely satisfactory or identified a small number of one-off and minor errors. No impact on the integrity of risk mitigation.

Some control efficiency issues identified which do not impact the overall mitigation of the risks to the area.

Some control breakdowns appear to be systemic or impact on key controls, but the controls framework broadly meets it objectives although it could be more efficient and effective.

There are significant systemic issues within the control framework which impact the risk mitigation for the area.

There are no controls in place, or the objectives of the controls framework are not met due to the poor quality of design or implementation of the control framework.


Appendix-2 University of Dubai Risk Matrix Consequence scale

General Compliance/Legal Employee/HS&E Financial Reputation Service levels

Insignificant - Some localized inconvenience, but no impact to the University.

- Absorbed within business running costs

- Breach of legislation, contract, rule or policy that does not have any penalty or litigation impact.

- Localized morale issues or potential employment continuity concerns.

- HS&E incident reported but not requiring follow up action

less than 1% of budget

- Issue resolved promptly by operational management processes.

- Minimal or no stakeholder interest

Loss of less than one day’s teaching, research and/or business functions

Minor - Disruption to operations with no permanent or significant effect on University

- Breach of legislation, contract, rule or policy that may have an impact on the relationship with the third party or the legislator, but no long lasting effect.

- No litigation or prosecution and/or penalty

- Regulatory consequence limited to standard inquiries

- Continuity of employment concerns localized to one faculty/division

- HS&E incident requiring medical attention or explanatory report.

1 to 2% of budget

- Issue raised by students and/or local press

- Adverse local public or media attention and complaints.

- Reputation is adversely affected by a small number of affected people

loss one full day of teaching, research and/or business functions

Moderate - Some impact on the university’s operational performance

- Less impact on strategic goals in the medium term.

- Breach of legislation, contract, rule or policy leading to escalated legal enquiries

- Regulatory or legal consequence limited to additional questioning or review by legislator.

- Continuity of employment concerns across the University

- HS&E incident requiring significant medical

reported and investigated

2-5% budget - Student and/or community concern

- National media coverage and external criticism

- Reputation impacted with some stakeholders

Loss of 1-7 days of teaching, research and/or business functions

Major - Significant effect on operational performance

- Will require operational resource reallocation (financial, assets and /or people) to manage and resolve in the medium term to

- Breach of legislation, contract, rule or policy leading to possible legal action

- Possible litigation or criminal prosecution and/or penalty

- External enquiry or regulatory review and/or possible negative sanction by a regulatory body.

- Significant (up to 15%) loss of staff contained to one faculty / division

- Widespread damage to

event causing serious injury, or negative environmental impact, and the relevant external authority notified

5-10% budget - Loss of student confidence in a School or Faculty

- Sustained adverse national media and public coverage

- Reputation impacted with a significant number of stakeholders

- Breakdown in strategic and or business

Loss of two weeks to two months of teaching, research and/or business functions


avoid non achievement of strategic goals

partnership

Severe - Achievement of operational and strategic goals in the medium term jeopardized

- Existence of the University under threat

- Breach of legislation, contract, rule or policy leading to significant and costly legal action with widespread potential impact for the University

- Litigation or criminal prosecution and/or substantial major negative sanction by a regulatory body

- Significant loss of staff extending to the entire university (over 15%)

- HS&E event causing serious permanent injury, death or environmental impact leading to costly action and widespread impact on the University and/or senior staff

Over 10% of budget

- Loss of student confidence in the University

- Reputation and standing of the University affected nationally and internationally

- Serious public outcry and/or international

impacted with majority of key stakeholders

- Significant breakdown in strategic and or business partnerships

Loss of over two months of teaching, research and/or business functions

Likelihood Scale Rare Unlikely Possible Likely Almost Certain

Likelihood Only in exceptional circumstances

Small chance of occurring at some time

Might occur at some time

Will probably occur in most circumstances

Expected to occur or a common occurrence

Controls Environment

Testing results were either completely satisfactory or identified a small number of one-off and minor errors. No impact on the integrity of risk mitigation.

Some control efficiency issues identified which do not impact the overall mitigation of the risks to the area.

Some control breakdowns appear to be systemic or impact on key controls, but the controls framework broadly meets it objectives although it could be more efficient and effective.

There are significant systemic issues within the control framework which impact the risk mitigation for the area.

There are no controls in place, or the objectives of the controls framework are not met due to the poor quality of design or implementation of the control framework.

APPENDIX-III

University of Dubai | Prioritization of Risk as at December 2013 – Version 1 Page 1 of 5

RISK ASSESSMENT PRIORITIZATION | DECEMBER 2013 (Version 1) The risk assessment is conducted in line with UD Policy FR 8.5 Risk Management Policy to record the significant findings of risk assessment and prioritization. This is a live document and will be updated as and when necessary. KEY: Extreme High Risk Medium Risk Low Risk

Ref. to UD Policy FR 8.5 (Table-1)

What are the hazards? Who might be harmed and how?

What are you already doing? Do you need to do anything else to manage this risk?

Action by whom?

Action by when?

Done (Yes/No/ In-Progress)

1. Corporate Information

1.1. Accessibility of Corporate Information

University data and statistics

University data are in silos so the quality and accessibility of data is a key risk.

The new ERP has integrated all information about UD into central information which is easily accessible for timely decision-making

OIE April 2014 No

2. External Relations

None - - - - -

3. Financial 3.1. Fraud cash and cheque collection

University will lose money and it will affect the cash flow

Manually verifying cash and cheque There is chance to collect fraud cash and cheque.

Use electronic device to verify cash and cheque

Financial controller

Each transaction

Yes

3.2. Cheque Return University Finance

PDC cheques are deposited without reminding students, it will be difficult to inform manually each student due to large number of PDC cheques every day for depositing at bank

System should generate auto mail to each student by SMS and email before 1 week and get confirmation mail from student before depositing cheque at bank


Cheque due date

-

3.3. Payroll University Finance Manually preparing monthly payroll in excel – There is chance for error

Payroll need to be processed from GP or other system. The ne


Each month

IP

4. Governance

4.1. Enterprise Risk Management

University Compliance management in silos. Need comprehensive compliance management through the new ERP.

IT/OIE April 2014 IP

APPENDIX-III





Action by whom?

Action by when?


5. Human Resources

5.1. Loss of key personnel – faculty & staff

Affect work productivity and continuity

Faculty/staff team are being developed to ensure continuity of activities

Monitoring by HR Office All Staff and HR Office

By May each year

IP

5.2. Death or Disability of employee

University staff/faculty Each employee is covered for AED100,000 under university life insurance policy

Ensure coverage each year HR Office Contract renewal by May each year

Yes

6. Information Technology

6.1. Loss of Information Back-up

Staff/Faculty/Students Regular check and test the integrity of data backup on a test server

Back-ups conducted daily, weekly, monthly and yearly

IT Staff Per schedule

Yes

6.2. Internet line down Staff, students Add another line for contingency Added another line from Etisalat IT staff Dec 2013 Yes

6.3. Security Alerts and Advisories

Staff/Faculty/Students A free software has been configured to send an alert message to IT staff regarding any alerts

Monitoring current servers IT Staff Going on

Done

6.4. Failure of PBX(telephone) system

Staff/Faculty members Upgrade IP telephony system Implement IP telephony IT Staff Going on Done

6.5. Malicious code and intrusion detection system

Staff/Faculty/Students Requested Juniper latest firewall system

Implementing the firewall system IT Staff Going on Done

6.6. Network Bandwidth IT Staff Configured MRTG application to check the GUI display of usage of core/edge switches. Each floor and labs has been assigned for different VLAN

Monitoring the MRTG application IT Staff Each day Yes

6.7. Core switch failure Staff, students Install 2 new core switches for contingency

Monitoring the core network IT staff Jan 2014 -

6.8. Website down Staff, students We are calling Etisalat and follow Move to new host company Webmaster April 2014 IP

APPENDIX-III





Action by whom?

Action by when?


up with them

6.9. Server(s) failure Staff, students Backup, contingency/mirroring/clustering

Monitoring the servers IT staff Dec 2013 Yes

6.10. Data security and risk

Staff/Faculty/Students Configured a separate policy for staff/faculty and student to make sure the data are secured and nobody can access data except the authorized person

Monitoring and configuring as per management request

IT Staff Going on Done

6.11. Physical access to server room and Environmental Program

Staff/Faculty/Students Only IT staff and facility management has an access to the Server Room. Regular vacuum and cleaning of Server Room

Monitoring physical access by maintaining logs

IT Staff / Facility Management

Going on

Done

7. Occupational Health & Safety

7.1. Fire breakout University students, staff, faculty and guests

Ensuring fire and safety equipment are in full working conditions

Conduct 30-minute training session once a semester starting from Spring 2014 on evacuation procedures

Procurement, HR Office

Quarterly

7.2. First-aid box and accident book

University students, staff, faculty and guests

Availability of first aid box on each floor.

Maintain supplies each week and accident book

Nurse Weekly Yes

7.3. Unsafe and unhealthy working conditions


Maintaining equipment, classrooms, labs office space, air-conditioning, electrical connections, toilets hygiene and clutter free hallways

Monitoring regular maintenance Procurement, HR and IT

Ongoing Yes

7.4. Unavailability of emergency contact details


Maintaining students and staff emergency contact details

Update regularly students and staff emergency contact details

Nurse, HR Office, Registrar

Each semester

Yes

APPENDIX-III





Action by whom?

Action by when?


8. Property & Infrastructure

8.1. Natural Disasters University property Building insurance coverage Ensure clause coverage in the contract renewals

Procurement Department

Contract renewal each year in August

Yes

9. Research None - - - - - -

10. Students 10.1. Low student enrolment

Survival risk to the University

Focusing on strong student recruitment and marketing efforts

Maintain university awareness in the market and close monitoring of activities.

Student Recruitment and Marketing

Each week IP

10.2. SIS records Students & University Trying to maintain what we already have until the new system is in place

Eliminate data entry/updates. Monitoring the system functionality.

Registrar On going On going

10.3. Currently enrolled students not registered in each semester

Students & University Checking status of net student position between enrolled and registered each semester

Follow-up with enrolled students and to appraise them about their duration for graduation.

Registrar Each semester

Yes

10.4. Incomplete Student registration details

Student registration details entered manually in GP. So there is chance for error

Student do the booking on line and Finance enter manually this details in GP

Student information system(SIS) and GP should be integrated for updating student registration details in GP automatically

Registrar, IT, Financial controller

April 2014 IP

10.5. Withdrawal after deadline (very late in the semester)

Students Recommendations: Midterms must be announced early Deadline for withdrawal must be the week after the midterm – relaxed withdrawal policy will encourage the students’ big time not to study as they have the late withdrawal option.

These issues are closely ensured in the new ERP.

Registrar/ Faculty advisors

April 2014 IP

10.6. Non-Compliance of UD Student’s Physical file

Student & University Manually following up with incomplete files is a major problem

The new ERP will be in place by April 2014 to ameliorate the risk. The old SIS will be integrated into this.

Registration Team

April 2014 Summer 2014 (June)

APPENDIX-III





Action by whom?

Action by when?


10.7. Issues on class attendance

Students – missing more than 25% in any course will lead to course failure

Encountering problem with monitoring 25% attendance due to old SIS reports

The new ERP will be in place by April 2014 to ameliorate the risk. The old SIS will be integrated into this.

Registrar, IT April 2014 IP

10.8. Conditional acceptance <20%

University enrolment levels Ensure that any conditional acceptance will eventually become unconditional - regular

Conditional acceptance should not exceed 20% of total numbers. The new ERP will be in place by April 2014 to ameliorate the risk. The old SIS will be integrated into this.

Recruitment and registration

April 2014 IP

10.9. Ensure strictness in Academic warnings

Students Follow up every main semester Arrange meetings between the students and the president to meet with those at risk.

Students with more than 3 AW must be closely monitored by advisors with a customized graduation plan. The new ERP will help in close monitoring of these at-risk students.

Registrar/ Faculty advisors

April 2014 IP

11. Teaching & Learning

11.1. Competitiveness University and students

UD branding Strategic marketing Strategic student enrolment plan

Consolidated efforts Marketing and Student Recruitment departments

Ongoing -

11.2. Student Scholarships

11.3. Student Attraction & Retention

Date post:	04-Sep-2020
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times

Fiscal Resources - University of Dubai · Management (ERM) 1 Purpose: To define risk management and...

Documents