AU Risk Management Plan 2019

AU Risk Management Plan Academic Year 2019 Office of the Vice Rector for Policy, Planning and Quality Assurance

Risk Evaluation Document No. 1 Academic Year 2018 Risk Category Risk Analysis Mitigation Residual Before Risk After mitigation mitigation Specific Risk 1. Strategy 2. Operations 3. Student Graduation 4. Finance 5. People 6. Compliance Likelihood (1-5) Impact (1-5) Risk Factor Matrix Result (Likelihood xImpact) Project (OYPB) Likelihood (1-5) Impact (1-5) Remaining Risk Factors 1. Rapid dissemination of x x 4 4 16 1) Issue regulations and/or 3 4 12 misinformation that guidelines regarding misleads and adversely information and impacts on the communication technology University’s image (ICT) security for network and information system users of Assumption University 2) Raise awareness of and educate AU students and personnel regarding computer-related offences Act (No. 2) B.E. 2560 3) Set up “Corporate Communications” unit 2. Shortage of financial xx x 4 5 20 1) Increase participation in 3 4 12 resources oversea educational exhibition 2) Establish new MOU and make effective use of current MOU 3) Develop student retention plan and ensure effective implementation 4) Develop financial and long-term business plan and ensure effective implementation 5) Develop and promote alternative souces of income 6) Develop & offer new programs which are in demand and close programs which are outdated & not in demand 1 Office of the Vice Rector for Policy, Planning and Quality Assurance

Risk Category Risk Analysis Mitigation Residual Before Risk After mitigation mitigation Specific Risk 1. Strategy 2. Operations 3. Student Graduation 4. Finance 5. People 6. Compliance Likelihood (1-5) Impact (1-5) Risk Factor Matrix Result (Likelihood xImpact) Project (OYPB) Likelihood (1-5) Impact (1-5) Remaining Risk Factors 3. Inefficient and x 4 5 20 1) Formulate plans and 4 4 16 vulnerable ICT systems implement the drills regarding ICT threat prevention 2) Formulate a Business Continuity Plan (BCP) to handle the attacks by ICT malicious mischief 3) Raise awareness of and educate AU students and personnel regarding ICT threat prevention according to the specified plan 4) Enhance and optimise backup bandwidth 5) Establish feasible backup link, both between campuses and external links 6) Procure essential network infrastructure and / or equipment for efficient & feasible systems 7) Carry out proper and sufficient maintenance of network infrastructure and/or equipment 8) Survey and analyze demand of users 9) Replace obsolete equipment by proper equipment which is essential to work performance 2 Office of the Vice Rector for Policy, Planning and Quality Assurance

Risk Category Risk Analysis Mitigation Residual Before Risk After mitigation mitigation Specific Risk 1. Strategy 2. Operations 3. Student Graduation 4. Finance 5. People 6. Compliance Likelihood (1-5) Impact (1-5) Risk Factor Matrix Result (Likelihood xImpact) Project (OYPB) Likelihood (1-5) Impact (1-5) Remaining Risk Factors 4. Catastrophe i.e. Fire, x x x 1 5 5 1) Formulate response plans 1 5 5 flood, earthquake, and implement the drills collapse of building, regarding fire, flood, epidemic earthquake, collapse of building, epidemic 2) Formulate a Business Continuity Plan (BCP) for an uninterrupted operation 3) Exercise the drills of security guards regarding various emergency cases 3 Office of the Vice Rector for Policy, Planning and Quality Assurance

Risk Assessment Document No. 2 Academic Year 2019 Risk Category Risk Analysis Risk Response Options Specific Risk 1. Strategy 2. Operations 3. Student Graduation 4. Finance 5. People 6. Repulation 7. compliance Likelihood (1-5) Impact (1-5) Risk Factor Matrix (Likelihood x Impact) Take/Accept Mitigate Transfer Terminate 1. Persistent decline of student intake x x x 5 4 20 x x 4 4 16 x 2. Inefficient and vulnerable ICT systems x 3. Catastrophe i.e. Fire, flood, earthquake, x xx 15 5 x collapse of building, epidemic x x 4 4 16 4. Breach of personal data protection 4 Office of the Vice Rector for Policy, Planning and Quality Assurance

Document No. 3 Risk Likelihood Scale Risk Likelihood Scale (Quantitative Measure) Level Likelihood Description 5 4 Very high Mostly every month 3 High Once in 1-6 months and not more than 5 time 2 Once in 1 year 1 Moderate Once in 2-3 years Little Once in 5 years Very little Risk Likelihood Scale (Qualitative Measure) Level Likelihood Description 5 Very high Imminent - is expected to occur in most 4 circumstances 3 2 High Probably occur in most circumstances 1 Moderate Might occur at some time Little Could occur at some time Very little May occur only in exceptional circumstances 5 Office of the Vice Rector for Policy, Planning and Quality Assurance

Document No. 4 Risk Impact Scale Risk Impact Scale (Quantitative Measure) Level Likelihood Description 5 4 Very high > 10 million baht 3 2 High > 250,000 baht - 10 million baht 1 Moderate > 50,000 baht - 250,000 baht Little > 10,000 baht - 50,000 baht Very little Less than 10,000 baht Risk Impact Scale (Qualitative Measure) Level Severity Description 5 4 Severe Severe injury causing death or disability 3 Major Severe injury causing hospitalization resulting in temporary work/study stoppage 2 1 Moderate Medical assistance required with possible hospitalization resulting in work/class absence Minor First aid treatment required Negligible No medical assistance or basic first aid attention required 6 Office of the Vice Rector for Policy, Planning and Quality Assurance

Document No. 5 Risk Impact Risk Matrix Very High High 5 5 10 15 20 25 Moderate 4 4 8 12 16 20 Little 3 9 12 15 2 8 10 15 1 2 3 45 Risk Likelihood Risk Acceptance Criteria Risk Level Color Definition Coded Very High Unacceptable Level, it is required to be urgently managed and controlled to reach an Acceptable Level. High Unacceptable Level, it is required to be managed to reach an Acceptable Level. Moderate Acceptable Level, it must be controlled to prevent risk moving to an Unacceptable Level. Little Acceptable Level that does not require any control or additional management. 7 Office of the Vice Rector for Policy, Planning and Quality Assurance

Plan and Project of AU Risk Management Document No. 6 Academic Year 2019 Specific Risk: 1. Persistent decline of intake student Risk Factors Cause and Source of Initiatives Policies/Plans Responsible Due Date Risk Factors - Revise teaching Agents 1.1 Below-target 31 July student 2.2.1 Sharp decline of & learning in 1) Aggressively  Top 2020 admissions undergraduates response to enrolment, market & publicize AU & Management especially Thai employers students - Increase student AU programs Committee recruitment from 2.2.1 Intensification overseas market through Catholic  VP for and expansion of - Enhance student higher education exchange and network Academic and programme undergraduate - Adopt schools Affairs programme alternative sources of funds 2) Design branding  OUR 2.2.1 Vocational study - Improve quality encouragement of human strategy & launch  All Schools by Government resources especially who branding 2.2.1 Persistent are in charge of decline of rendering campaign of each population birth services to rate student school promoting 8 distinctive uniqueness beyond competitors in the international level 3) Organize teaching & learning courses in which students can accumulate study credits either through online study (Massive Open Online Courses: MOOC) or conventional classroom study then transfer accumulative credits to the normal program 4) Increase participation in overseas educational exhibition 5) Integrate courses to develop multidisciplinary programs 6) Develop new programs or modify existing programs in response to market demand Office of the Vice Rector for Policy, Planning and Quality Assurance

Risk Factors Cause and Source of Initiatives Policies/Plans Responsible Due Date Risk Factors Agents 7) Terminate programs which are outdated & not in demand 8) Organize short/training courses, which participants earn the certificates, in response to market demand e.g. digital marketing, language courses, computer program courses, soft skill courses. 9) Develop student retention plan and ensure effective implementation 10) Develop financial & long-term business plan and ensure effective implementation 11) Develop and promote alternative souces of income e.g. research grants, academic services, rental spaces, short- course training program, government projects, consultancy project 9 Office of the Vice Rector for Policy, Planning and Quality Assurance

Specific Risk: 2. Inefficient and vulnerable ICT systems Risk Factors Cause and Source Initiatives Policies/Plans Responsible Due Date of Risk Factors Agents 2.1 Attacks by ICT 2.1.1 Software/ - Formulate 1) Formulate plans  Top 31 July and implement 2020 malicious mischief program bugs written policies the drills Management regarding ICT Committee e.g. hackers, 2.1.2 Security and plans threat prevention  Office of Vice crackers etc. in the vulnerable regarding 2) Formulate a Rector for Business Information and form of network security of ICT Continuity Plan (BCP) to handle Communication a. Data interception 2.1.3 Security system & ICT the attacks by Technology ICT malicious  Office of the and theft vulnerable usages mischief University b. Denial-of-Service software/ - Implement 3) Raise awareness Registrar of and educate (Dos) attack program threat prevention AU students and personnel c. Malicious software 2.1.4 Neglectful plan regarding regarding ICT threat prevention (malware) e.g. users and/or ICT according to the specified plan Trojan horses, system - Monitor and 1) Enhance and hijacking software, administrators evaluate the optimise backup bandwidth ransomware, 2.1.5 IT-illiteracy success of ICT 2) Establish feasible computer viruses, users threat prevention backup link, both between worms, spyware etc. - Revise threat campuses and external links d. Data alteration on prevention plan 3) Procure essential the website or in the regarding ICT network infrastructure database system according to the and/ or equipment for efficient & evaluation feasible systems results 4) Carry out proper and sufficient 2.2 Network connection 2.2.1 Insufficient - Develop and maintenance of network malfunction, both network enhance network infrastructure and/or equipment internal and external capacity infrastructure links 2.2.2 Inefficient and / or network equipment to a infrastructure feasible level and / or - Develop and equipment due seek approval of to a plan regarding obsolescence proper and and/or low sufficient quality maintenance of equipment network 2.2.3 Malfunction infrastructure and/or and / or breakdown of equipment network infrastructure and / or equipment due to accident or infrastructure and /or equipment itself 10 Office of the Vice Rector for Policy, Planning and Quality Assurance

Risk Factors Cause and Source Initiatives Policies/Plans Responsible Due Date of Risk Factors Agents - Develop a 1) Survey and 2.3 Malfunction and/or 2.3.1 Obsolete feasible analyze demand replacement and of users breakdown of ICT equipment maintenance plan of ICT 2) Replace obsolete equipment regarding equipment equipment by regarding proper equipment teaching & learning teaching & which is essential learning and to work and office operation office operation performance e.g. PCs, projectors, etc. Specific Risk: 3. Catastrophe i.e. Fire, flood, earthquake, collapse of building, epidemic Risk Factors Cause and Source Initiatives Policies/Plans Responsible Due Date of Risk Factors Agents 3.1 Earthquake or - Assess the risk 1) Formulate 31 July severe building fire 3.1.1 Short circuit impact and risk response plans  Office of Vice 2020 causing a collapse and arson likelihood using and implement Rector for of the building statistical data to the drills Administrative 3.1.2 Natural formulate a risk regarding fire, Affairs 3.2 Severe flood disaster management flood, earthquake, requiring electricity plan and make collapse of  Office of Vice cut-off and causing decision building, Rector for a power outage epidemic Legal and - Procure Privilege 3.3 Riot appropriate 2) Formulate a Affairs insurance Business policies Continuity Plan  Office of (BCP) for an Human - Inspect and uninterrupted Resources maintain the operation Management equipment to be in an operational 3) Exercise the drills condition of security guards regarding various emergency cases 4) Post hotline numbers for emergency throughout the campus, especially at the laboratory 11 Office of the Vice Rector for Policy, Planning and Quality Assurance

Specific Risk: 4. Breach of personal data protection Risk Factors Cause and Source Initiatives Policies/Plans Responsible Due Date of Risk Factors Agents 4.1 Loss/leakage - Determine 1) Establish 31 July of personal 4.1.1 Lack of  Top 2020 data of awareness adequate internal implementation Management personnel and regarding the Committee students necessity of control measures guidelines for the protection  Office of Vice for sensitive to prevent personal data Rector for and Information and confidential installation and protection in Communication data e.g. Technology personal data usage of pirated accordance with of personnel  All Schools and students software international &Supporting - Formulate policies, standards e.g. Units 4.1.2 Use of pirated software (as it strategies, and The General Data is not eligible for security mechanisms Protection and patch updates, regarding software Regulation including other services administration to (GDPR) of EU regarding security from increase efficiency the software company) and tighten data security of the University - Formulate policies regarding personal data protection and disseminate to all relevant parties for acknowledgment and implementation 12 Office of the Vice Rector for Policy, Planning and Quality Assurance