Risks are anything that could adversely impact achieving the objectives of the unit or the university.
To identify risks, ask yourself and your staff what could go wrong. Also consider what would be the potential loss or consequences if something did happen. Sometimes the impact is difficult to measure in dollar terms, such as damage to reputation or loss of critical data.
Damage to servers due to disaster, unauthorized access to data, unavailable systems, inadequate systems, sensitive data not secured.
Program losses, incorrect calculations and reports, inefficient use of resources, inadequate programs.
Theft, revenues not collected, inappropriate refunds.
Fraud, purchases for personal use, conflict of interest.
Damaged or stolen equipment, loss of tickets or items for sale.
Non-compliance with federal regulations, unallowable costs charged to project, research fraud, improper animal research or human testing.
Injury or death due to unsafe conditions or disaster.
Management is responsible for implementing appropriate controls to reduce risk and to achieve operational objectives.
Assess whether your practices would reduce each risk to an acceptable level. For example, daily backup of an important database would keep potential loss of data to only one day's worth. The backup also needs to be stored off-site in case of fire or other disaster. In general, controls should be cost-effective, with the cost to implement the procedures in proportion to the benefit.