UMN Board of Regents considers new ways to assess institutional risks

The audit and compliance committee will discuss risks at the board's upcoming February meeting.

The University's Board of Regents talk at a meeting on June 10, 2016.

Zach Bielinksi

The University's Board of Regents talk at a meeting on June 10, 2016.

Kelly Busche

The University of Minnesota Board of Regents is set to consider institutional risk-management plans next month as they review the school’s top risk-related priorities.

The institution’s risk profile was last assessed in 2014. While administrators say some risks are unavoidable at a large research university, certain developments, like Title IX updates, require additional risk mitigation plans.

The Board is responsible for managing institutional risks — areas involving legal compliance, or where the University’s reputation could be at risk. 

The current risk heat map, which ranks the school’s risks, lists “commercialization of intellectual property” as a low to moderate risk. State funding, “managing brand and reputation” and “human subject research” are among those listed as moderate or high risks for the University.

Regent Linda Cohen said, “members of the committee and I … felt it was important that we take another look at it,” since the regents hadn’t reviewed the risk profile in four years. Risks may have changed since then, she said.

The Board is also reassessing risks to ensure compliance with certain laws, Cohen said, in “areas where it’s not easy to just carry on day-to-day.”

The process of assessing University risks will also change, with increased administration involvement and a speedier process, Cohen said.

At the upcoming meeting, audit committee members will identify what they believe are the “most crucial risks,” she said. They will also discuss mitigation plans for these risks, which differs from the existing process. Currently, regents pinpoint risks but don’t develop action plans, Cohen said.

“The University will not be, nor would it be helpful to be, a risk-free institution, we probably wouldn’t be doing the best research … in that case,” Cohen said.

Cybersecurity is a prominent risk impacting not only the University, but campuses nationwide, said Brian Burnett, the University’s senior vice president for finance and operations. The “new phenomena” of card chip readers being used across campus poses a cybersecurity risk officials must continuously address, he said.

Burnett said finding the balance between protecting access to University information and allowing students and faculty to continue their work and research is another important cybersecurity mitigation decision. 

“Data privacy/security” is currently listed as high risk on the University’s heat map of institutional risks.

Title IX compliance is a new risk in the University’s profile, Burnett said, but this has been mitigated by mandatory training for all faculty and students. 

The need for risk mitigation isn’t unique to the University, Burnett said.

“This isn’t just a University of Minnesota discussion — this is a national discussion among Universities that look like us,” Burnett said.

Regent Darrin Rosha said the board participates in risk oversight of significant University expenditures and policy changes “to ensure that resources are being protected.” 

The risks the board oversees are determined by comparative size of the University budget, Rosha said.