The aim of risk management is to protect everything that adds value to EPFL, including its human capital, reputation, resources (both tangible and intangible) and facilities. Risk management concerns the whole of EPFL: Senior Management, central services, the schools, the colleges and the outposts in Valais, Fribourg, Geneva and Neuchâtel.
Legal basis and governance
The ETH Board’s Risk Management Directive of 4 July 2006 outlines the principles for managing risk and financing risk management.
As the six federal institutes of technology in the ETH Domain are granted autonomy under the ETH Act, they are each responsible for managing their own risks and putting in place measures to mitigate risk. EPFL also has internal risk-management regulations.
The EPFL president informs the ETH Board of the main risks and the measures taken to manage and mitigate them.
Organization and processes
The Risk Management Committee (RMC) is in charge of piloting risk management. It coordinates the activities of its sub-committees: Safety, Prevention & Health, IT Security, Insurance, Litigation, Internal Control System, and Audit Coordination.
The RMC informs and advises the president and other members of Senior Management on risk management issues. It supports all EPFL units in coordinating and organizing risk management. The Vice President for Finances chairs the RMC, is responsible for implementing the risk-management policy and has authority to give necessary and appropriate instructions.
The RMC identifies and qualifies major risks on an annual basis, records them in a central registry, and assesses how likely they are to occur and the financial, governance, human-resources and reputational impacts they would have.
Internal control system (ICS)
EPFL has an ICS, which is based on the ETH Board’s requirements in this area. The ICS is used to monitor major financial processes and the corresponding risks, which are assessed and covered by key controls. The ICS includes processes and measures to ensure that accounting, reporting, and the financial statements drawn up under IPSAS are compliant.
The Swiss Federal Audit Office reviews the ICS as part of its annual audit of EPFL’s accounts. The ETH Board’s internal audit team reviews ICS processes using the criteria of conformity, legality, cost-effectiveness and efficiency.
The main risks identified are those that would have a major impact on the School’s finances and/or reputation should they materialize:
- Scientific misconduct and other unethical behavior.
- Inadequate organizational structures, roles and/or responsibilities.
- Harassment and managerial problems within a unit, center, or project that could hinder the School’s ability to operate and/or affect some or all of the organization.
- Insufficient funding to cover the School’s long-term liabilities and non-compliance with regard to third-party funding.
- Violence or the threat of violence suffered by members of the EPFL community.
- Intrusion, loss or disclosure of information and data relating to a business strategy and/or inadequate IT systems leading to a system breakdown.
- Failure to comply with legal and contractual requirements.
- Failure to provide adequate teaching resources, including insufficient human resources (teachers and assistants) and inadequate infrastructure.