PURPOSE:
This Risk Management Policy outlines the principles, framework, and processes for systematically identifying, assessing, responding to, and monitoring risks across Idaho College of Osteopathic Medicine (ICOM) (the “Institution”). The purpose of this policy is to enable informed decision-making, protect institutional assets, support the achievement of strategic objectives, ensure operational resilience, promote a culture of risk awareness, and maintain compliance with applicable laws, regulations, and ethical standards. Effective risk management is crucial for navigating uncertainty, mitigating threats, capitalizing on opportunities, and ensuring the long-term success and sustainability of the Institution. This policy applies to all activities, operations, and functions of the Institution, encompassing strategic, operational, financial, compliance, reputational, and information security risks, with particular emphasis on risks associated with technology and reliance on third-party vendors and SaaS applications.
SCOPE:
This policy applies to all activities, operations, functions, units, and individuals within ICOM, including but not limited to:
- Academic programs and activities
- Research activities
- Clinical operations (if applicable)
- Administrative functions (finance, human resources, facilities, etc.)
- Information Technology (IT) infrastructure and systems
- Data and information assets (including student data, research data, financial data, etc.)
- Financial operations and investments
- Compliance with laws and regulations
- Reputation and public image
- All third-party vendor relationships and outsourced services, including SaaS applications.
- Physical assets and facilities
- Student and safety
- Business continuity and disaster recovery planning
This policy applies to all individuals associated with ICOM, including but not limited to:
- President and Executive Leadership
- Academic Affairs Leadership
- Deans and Department Heads
- Faculty
- Staff
- Students
- Researchers
- Clinicians (if applicable)
- Affiliates
- Volunteers
- Contractors
- Vendors
- Any individual acting on behalf of the Institution.
DEFINITIONS:
- Enterprise Risk Management (ERM): A holistic and strategic approach to managing all types of risks across an organization, encompassing strategic, operational, financial, compliance, and other risk categories, to achieve organizational objectives and enhance value.
- Likelihood: The probability or chance that a particular risk event will occur within a specified timeframe. Likelihood is often assessed using qualitative or quantitative scales (e.g., Rare, Unlikely, Possible, Likely, Almost Certain; or numerical probabilities).
- Impact: The potential consequences or effects of a risk event if it materializes. Impact is typically assessed in terms of financial loss, operational disruption, reputational damage, regulatory penalties, harm to individuals, or other relevant measures of negative consequences. Impact is often assessed using qualitative or quantitative scales (e.g., Minor, Moderate, Significant, Severe; or monetary values).
- Risk: The potential for an event or action to prevent or hinder the achievement of organizational objectives, or to negatively impact organizational assets or stakeholders. Risk is often expressed as a combination of the likelihood of an event and the magnitude of its potential impact.
- Risk Appetite: The level of risk that an organization is willing to accept in pursuit of its strategic objectives. Risk appetite reflects the organization's overall attitude toward risk-taking.
- Risk Assessment: The process of identifying, analyzing, and evaluating risks to determine their likelihood and potential impact, and to prioritize risks for management attention.
- Risk Framework (Risk Management Framework): A structured and systematic approach to risk management, providing principles, processes, and organizational arrangements for managing risk effectively across an organization. Frameworks often include components such as risk governance, risk identification, risk assessment, risk response, risk monitoring, and risk communication.
- Risk Management: The coordinated and systematic activities to direct and control an organization regarding risk. It involves identifying, assessing, responding to, and monitoring risks to achieve objectives and create value.
- Risk Mitigation (Risk Reduction): Actions taken to reduce the likelihood of a risk event occurring, or to reduce the magnitude of its potential impact if it does occur. Risk mitigation controls may be preventative (reducing likelihood) or detective/corrective (reducing impact).
- Risk Register: A central repository or document used to record, and track identified risks, risk assessments, risk responses, risk owners, and risk monitoring information. The Risk Register serves as a key tool for managing and communicating risk information.
- Risk Response: The strategic choices made to address identified risks. Common risk response strategies include Risk Acceptance, Risk Avoidance, Risk Mitigation, and Risk Transfer.
- Risk Tolerance: The acceptable level of variation in performance relative to objectives that an organization is willing to accept. Risk tolerance is more specific and measurable than risk appetite.
- SaaS Application (Software as a Service): A software delivery model in which software is hosted by a vendor and made available to customers over a network, typically the internet, usually on a subscription basis.
- Third-Party Vendor (Vendor): Any external organization or individual that provides products, services, or processes institutional data on behalf of Idaho College of Osteopathic Medicine (ICOM).
- Key Risk Indicator (KRI): A measurable metric used to monitor the likelihood or impact of a specific risk. KRIs can provide early warning signals of potential risk events.
POLICY:
Risk Management Framework: ICOM will adopt and maintain a comprehensive Risk Management Framework to guide its risk management activities. This framework will be based on recognized risk management standards and best practices (NIST Risk Management Framework). The framework will encompass the following core components:
- Risk Governance: Establishing clear roles, responsibilities, and accountabilities for risk management at all levels of the institution, starting with executive leadership, and extending to all departments and individuals.
- Risk Identification: Systematically identifying potential risks that could impact the Institution’s ability to achieve its objectives. Risk identification will be an ongoing and proactive process, utilizing various methods (e.g., brainstorming, workshops, interviews, surveys, scenario analysis, threat modeling, vulnerability assessments, review of incident history, industry trends, and regulatory changes).
- Risk Assessment: Analyzing and evaluating identified risks to determine their likelihood of occurrence and potential impact on the Institution. Risk assessment will consider both qualitative and quantitative factors and prioritize risks based on their severity and potential consequences. Risk assessment will be performed regularly and whenever significant changes occur in the institution's environment or risk landscape.
- Risk Response: Developing and implementing appropriate risk responses to address identified risks. Risk responses may include:
- Risk Acceptance: Accepting the risk and its potential consequences (often for low- impact, low-likelihood risks).
- Risk Avoidance: Avoiding activities or situations that give rise to the risk (e.g., discontinuing a high-risk service, refraining from entering a high-risk market).
- Risk Mitigation (Risk Reduction): Implementing controls and safeguards to reduce the likelihood or impact of the risk (e.g., implementing security controls, developing contingency plans, improving processes).
- Risk Transfer: Transferring the risk to a third party (e.g., through insurance, outsourcing, contractual agreements, or cybersecurity insurance). The selection of risk response strategies will be based on a cost-benefit analysis, considering the level of risk tolerance defined by the Institution.
- Risk Monitoring and Review: Continuously monitoring and reviewing identified risks and the effectiveness of implemented risk responses. Risk monitoring will involve tracking key risk indicators (KRIs), regularly reassessing risk levels, reviewing incident reports, and adapting risk management strategies as needed. Risk reviews will be conducted periodically (at least annually) and whenever significant internal or external changes occur.
- Risk Communication and Reporting: Establishing clear channels for communicating risk information to relevant stakeholders, including executive leadership, the Board of Trustees/Governing Body, department heads, risk owners, and other personnel as appropriate. Risk reporting will provide timely, accurate, and relevant information about the Institution’s risk profile, risk exposures, and risk management activities.
Risk Governance Structure and Responsibilities:
- Board of Trustees/Governing Body Oversight: The Board of Trustees/Governing Body has ultimate oversight responsibility for risk management at ICOM. The Board will:
- Approve the Institution’s Risk Management Policy and framework.
- Receive regular reports on the institution's risk profile and risk management activities.
- Provide direction and guidance on risk appetite and risk tolerance.
- Executive Leadership Responsibility: The President and executive leadership team are responsible for:
- Championing a culture of risk awareness throughout the institution.
- Ensuring the effective implementation of the Risk Management Policy and framework.
- Establishing clear lines of accountability for risk management across all units and functions.
- Allocating resources for risk management activities.
- Regularly reviewing and discussing the institution's risk profile and risk management effectiveness.
- Risk Management Committee (or Designated Function): ICOM will establish a Risk Management Committee (or designate an existing committee or function, such as an Enterprise Risk Management office, if applicable) responsible for:
- Developing and maintaining the Risk Management Framework and associated procedures.
- Coordinating risk identification and assessment activities across the institution.
- Facilitating risk response planning and implementation.
- Monitoring and reporting on the institution's overall risk profile and risk management effectiveness.
- Promoting risk awareness and providing risk management guidance and training.
- [Specify committee membership and reporting structure].
- Department Head and Unit-Level Responsibilities: Department heads and unit leaders are responsible for:
- Identifying and assessing risks within their respective departments and units.
- Implementing risk responses and controls within their areas of responsibility.
- Escalating significant risks to the Risk Management Committee or executive leadership.
- Promoting risk awareness and accountability within their teams.
- Individual User Responsibilities: All faculty, staff, students, and affiliates are responsible for:
- Being aware of and adhering to institutional risk management policies and procedures.
- Identifying and reporting potential risks they become aware of in their work or activities.
- Participating in risk awareness training and contributing to a risk-conscious culture.
Risk Identification and Assessment Processes:
- Annual Risk Assessment Cycle: ICOM will conduct a comprehensive institution-wide risk assessment at least annually. Departments and units may conduct more frequent risk assessments as needed based on their specific operations and risk profiles.
- Risk Categories: Risk assessments will consider risks across various categories, including but not limited to: Strategic Risks, Operational Risks, Financial Risks, Compliance Risks, Reputational Risks, Information Security Risks, Technology Risks, Human Resources Risks, Legal Risks, and Physical Security Risks.
- Risk Assessment Methodology: Risk assessments will utilize a consistent and documented methodology that includes:
- Identifying Assets: Identifying critical institutional assets (data, systems, infrastructure, personnel, reputation, etc.) that could be impacted by risks.
- Identifying Threats: Identifying potential threats that could exploit vulnerabilities and impact assets (internal threats, external threats, natural disasters, technological failures, etc.).
- Identifying Vulnerabilities: Identifying weaknesses or gaps in controls that could be exploited by threats.
- Analyzing Likelihood and Impact: Evaluating the likelihood of identified risks occurring and the potential impact if they materialize (financial impact, operational disruption, reputational damage, legal consequences, etc.). Utilize a defined risk rating scale (e.g., Low, Medium, High, Critical).
- Documenting Risk Assessments: Documenting the results of risk assessments in a Risk
Register or equivalent system, including risk descriptions, risk categories, assessed
likelihood and impact ratings, risk owners, and planned risk responses.
Risk Response and Control Implementation:
- Risk Response Prioritization: Risk responses will be prioritized based on the level of assessed risk and the Institution’s risk tolerance. High-priority risks will require more immediate and robust risk responses.
- Control Frameworks: Risk mitigation controls will be selected and implemented based on recognized security and control frameworks [e.g., NIST Cybersecurity Framework, ISO 27001 controls, HIPAA Security Rule controls, or specify institution's chosen control frameworks].
- Documentation of Risk Responses: Risk responses and implemented controls will be documented in the Risk Register and associated risk management documentation, including assigned responsibilities, timelines for implementation, and metrics for measuring control effectiveness.
- Resource Allocation for Risk Mitigation: The Institution will allocate necessary resources (financial, personnel, technological) to support the implementation of risk mitigation controls and risk response strategies.
Risk Monitoring and Review Processes:
- Key Risk Indicators (KRIs): Identify and monitor Key Risk Indicators (KRIs) for significant risks to provide early warning signals of potential risk events. KRIs should be measurable and regularly tracked.
- Regular Risk Review Meetings: The Risk Management Committee (or designated function) will conduct regular risk review meetings (e.g., quarterly or semi-annually) to:
- Review the Institution’s Risk Register and risk profile.
- Assess the effectiveness of implemented risk responses and controls.
- Monitor KRIs and identify any changes in risk levels.
- Discuss emerging risks and update risk assessments as needed.
- Report on risk management activities and findings to executive leadership and the Board of Trustees/Governing Body.
- Incident Review and Lessons Learned: Review security incidents, operational disruptions, compliance breaches, and other adverse events to identify root causes, assess the effectiveness of existing risk controls, and incorporate lessons learned into risk assessments and risk response strategies.
Risk Management for SaaS and Third-Party Vendors: Given the Institution's reliance on SaaS and third-party vendors, specific attention will be paid to managing risks associated with these relationships, as outlined in the Third-Party Vendor Management Policy. Risk management activities will include:
- Vendor Risk Assessments (as per Third-Party Vendor Management Policy): Conducting thorough risk assessments of all third-party vendors and SaaS providers prior to engagement, and periodically thereafter.
- SaaS and Cloud-Specific Risk Considerations: Addressing specific risks associated with cloud computing and SaaS, such as data security in multi-tenant environments, data residency concerns, vendor lock-in, cloud service availability, and unique cloud security threats.
- Contractual Risk Transfer and Mitigation (as per Third-Party Vendor Management Policy): Utilizing contracts with vendors to transfer or mitigate risks through contractual clauses related to security, compliance, data privacy, incident response, and liability.
- Ongoing Monitoring of Vendor Risks (as per Third-Party Vendor Management Policy): Continuously monitoring vendor security posture, compliance status, and service performance throughout the vendor lifecycle.
- Integrating Vendor Risks into Institutional Risk Register: Incorporating significant risks identified through vendor risk assessments into the Institution's overall Risk Register and risk management framework.
Risk Awareness and Training: ICOM will promote a culture of risk awareness through:
- Risk Management Training Programs: Providing risk management training to relevant personnel at all levels of the institution, tailored to their roles and responsibilities. Training will cover the Risk Management Policy, risk identification and assessment processes, risk response strategies, and risk reporting procedures.
- Risk Awareness Communications: Conducting regular risk awareness communications to inform faculty, staff, students, and affiliates about key institutional risks, risk management initiatives, and their role in risk mitigation.
- Integration of Risk Management into Decision-Making: Promoting the integration of risk management considerations into all institutional decision-making processes, from strategic planning to operational activities and project management.
Policy Exceptions: Exceptions to this Risk Management Policy may be granted in limited circumstances by the President or Executive Leadership Team, with appropriate justification, comprehensive risk assessment of the exception itself, and documented approval. Exceptions should be rare and subject to periodic review.
ENFORCEMENT:
Enforcement of this Risk Management Policy is the responsibility of all members of the ICOM community, under the overall direction of the President, Executive Leadership Team, and the Board of Trustees/Governing Body. Failure to adhere to risk management policies and procedures, neglecting to identify or report significant risks, or other policy violations may result in disciplinary actions, up to and including warnings, limitations on responsibilities, and termination of employment or affiliation, depending on the nature and severity of the violation, and consistent with other institutional policies and procedures. The Risk Management Committee (or designated function) will monitor compliance with this policy, track risk management activities, and investigate reported violations or risk management deficiencies, escalating concerns to executive leadership as necessary.
POLICY REVIEW AND UPDATES:
This Risk Management Policy and the associated Risk Management Framework will be reviewed and updated at least annually, or as needed to reflect changes in the institution's strategic objectives, operating environment, risk landscape, regulations, industry best practices in risk management, or organizational structure. The Risk Management Committee (or designated function) is responsible for coordinating policy reviews and updates, in consultation with executive leadership, relevant departments, and stakeholders.
PRIMARY POLICY OWNER:
Chief Information Officer
APPROVAL:
Effective: 7/8/25
Last Reviewed: 7/8/25
Review Requirement: Annual