AU Risk Management Plan 2019

AU Risk Management P Academic Year 2019

Plan 9 Office of the Vice Rector for Policy, Planning and Quality Assurance

Risk E Academ Risk Category Specific Risk 1. Strategy 2. Operations 3. Student Graduation 4. Finance 5. People 1. Rapid dissemination of misinformation that x misleads and adversely impacts on the University’s image Office of the Vice Rector for Policy, Planning and Quality Assurance

Document No. 1 Evaluation Mitigation Residual Risk mic Year 2018 After mitigation Risk Analysis Before mitigation 6. Compliance Likelihood (1-5) Impact (1-5) Risk Factor Matrix Result (Likelihood xImpact) Project (OYPB) Likelihood (1-5) Impact (1-5) Remaining Risk Factors x4 4 16 1) Issue regulations and/or 3 4 12 guidelines regarding information and communication technology (ICT) security for network and information system users of Assumption University 2) Raise awareness of and educate AU students and personnel regarding computer-related offences Act (No. 2) B.E. 2560 3) Set up “Corporate Communications” unit 1

Risk Category Specific Risk 1. Strategy 2. Shortage of financial resources 2. Operations 3. Student Graduation 4. Finance 5. People xx x Office of the Vice Rector for Policy, Planning and Quality Assurance

Risk Analysis Mitigation Residual Risk Before mitigation After mitigation 6. Compliance Likelihood (1-5) Impact (1-5) Risk Factor Matrix Result (Likelihood xImpact) Project (OYPB) Likelihood (1-5) Impact (1-5) Remaining Risk Factors 45 20 1) Increase participation in 3 4 12 oversea educational exhibition 2) Establish new MOU and make effective use of current MOU 3) Develop student retention plan and ensure effective implementation 4) Develop financial and long-term business plan and ensure effective implementation 5) Develop and promote alternative souces of income 6) Develop & offer new programs which are in demand and close programs which are outdated & not in demand 2

Specific Risk 1. Strategy Risk Category 3. Inefficient and vulnerable ICT systems 2. Operations x 3. Student Graduation 4. Finance 5. People Office of the Vice Rector for Policy, Planning and Quality Assurance

Risk Analysis Mitigation Residual Risk Before mitigation After mitigation 6. Compliance Likelihood (1-5) Impact (1-5) Risk Factor Matrix Result (Likelihood xImpact) Project (OYPB) Likelihood (1-5) Impact (1-5) Remaining Risk Factors 45 20 1) Formulate plans and 4 4 16 implement the drills regarding ICT threat prevention 2) Formulate a Business Continuity Plan (BCP) to handle the attacks by ICT malicious mischief 3) Raise awareness of and educate AU students and personnel regarding ICT threat prevention according to the specified plan 4) Enhance and optimise backup bandwidth 5) Establish feasible backup link, both between campuses and external links 6) Procure essential network infrastructure and / or 3

Risk Category Specific Risk 1. Strategy 2. Operations 3. Student Graduation 4. Finance 5. People 4. Catastrophe i.e. Fire, flood, earthquake, collapse x x of building, epidemic Office of the Vice Rector for Policy, Planning and Quality Assurance

Risk Analysis Mitigation Residual Risk Before mitigation After mitigation 6. Compliance Likelihood (1-5) Impact (1-5) Risk Factor Matrix Result (Likelihood xImpact) Project (OYPB) Likelihood (1-5) Impact (1-5) Remaining Risk Factors equipment for efficient & feasible systems 7) Carry out proper and sufficient maintenance of network infrastructure and/or equipment 8) Survey and analyze demand of users 9) Replace obsolete equipment by proper equipment which is essential to work performance x1 5 5 1) Formulate response plans 15 5 4 and implement the drills regarding fire, flood, earthquake, collapse of building, epidemic 2) Formulate a Business Continuity Plan (BCP) for

Risk Category Specific Risk 1. Strategy 2. Operations 3. Student Graduation 4. Finance 5. People Office of the Vice Rector for Policy, Planning and Quality Assurance

Risk Analysis Mitigation Residual Risk Before mitigation After mitigation 6. Compliance Likelihood (1-5) Impact (1-5) Risk Factor Matrix Result (Likelihood xImpact) Project (OYPB) Likelihood (1-5) Impact (1-5) Remaining Risk Factors an uninterrupted operation 3) Exercise the drills of security guards regarding various emergency cases 5

Risk A Academ Risk C Specific Risk 1. Strategy 2. Operations 3. Student Graduation 1. Persistent decline of student intake x x 2. Inefficient and vulnerable ICT systems x 3. Catastrophe i.e. Fire, flood, earthquake, collapse of x building, epidemic 4. Breach of personal data protection Office of the Vice Rector for Policy, Planning and Quality Assurance

6 xx 4. Finance Assessment 5. People mic Year 2019 xx 6. Repulation 7. compliance Category x Likelihood (1-5) 5 4 20 Impact (1-5) Risk Analysis 4 4 16 Risk Factor Matrix 15 5 4 4 16 (Likelihood x Impact) x Take/Accept Risk Response Options Document No. 2 x Mitigate x Transfer x Terminate

Document No. 3 Risk Likelihood Scale Risk Likelihood Scale (Quantitative Measure) Level Likelihood Description 5 4 Very high Mostly every month 3 High Once in 1-6 months and not more than 5 time 2 Once in 1 year 1 Moderate Once in 2-3 years Little Once in 5 years Very little Risk Likelihood Scale (Qualitative Measure) Level Likelihood Description 5 Very high Imminent - is expected to occur in most 4 circumstances 3 2 High Probably occur in most circumstances 1 Moderate Might occur at some time Little Could occur at some time Very little May occur only in exceptional circumstances 7 Office of the Vice Rector for Policy, Planning and Quality Assurance

Document No. 4 Risk Impact Scale Risk Impact Scale (Quantitative Measure) Level Likelihood Description 5 4 Very high > 10 million baht 3 2 High > 250,000 baht - 10 million baht 1 Moderate > 50,000 baht - 250,000 baht Little > 10,000 baht - 50,000 baht Very little Less than 10,000 baht Risk Impact Scale (Qualitative Measure) Level Severity Description 5 4 Severe Severe injury causing death or disability 3 Major Severe injury causing hospitalization resulting in temporary work/study stoppage 2 1 Moderate Medical assistance required with possible hospitalization resulting in work/class absence Minor First aid treatment required Negligible No medical assistance or basic first aid attention required 8 Office of the Vice Rector for Policy, Planning and Quality Assurance

Document No. 5 Risk Impact Risk Matrix Very High High 5 5 10 15 20 25 Moderate 4 4 8 12 16 20 Little 3 9 12 15 2 8 10 15 1 2 3 45 Risk Likelihood Risk Acceptance Criteria Risk Level Color Definition Coded Very High Unacceptable Level, it is required to be urgently managed and controlled to reach an Acceptable Level. High Unacceptable Level, it is required to be managed to reach an Acceptable Level. Moderate Acceptable Level, it must be controlled to prevent risk moving to an Unacceptable Level. Little Acceptable Level that does not require any control or additional management. 9 Office of the Vice Rector for Policy, Planning and Quality Assurance

Plan and Project of A Academic Specific Risk: 1. Persistent decline of intake student Risk Factors Cause and Source of Risk Initiatives Factors 1.1 Below-target student  Revise teaching & admissions 1.1.1 Sharp decline of learning in undergraduates response to marke enrolment, & employers especially Thai students  Increase student recruitment from 1.1.2 Intensification and overseas market expansion of higher education and  Enhance student undergraduate exchange programme programme 1.1.3 Vocational study  Adopt alternative encouragement by sources of funds Government  Improve quality o 1.1.4 Persistent decline of human resources population birth rate especially who are in charge of rendering services to student Office of the Vice Rector for Policy, Planning and Quality Assurance

Document No. 6 AU Risk Management ce Year 2019 Policies/Plans Responsible Agents Due Date 31 July 2020 & 1) Aggressively publicize  Top Management AU & AU programs Committee et through Catholic and  VP for Academic network schools Affairs 2) Design branding  OUR strategy & launch  All Schools branding campaign of each school promoting distinctive uniqueness beyond competitors in the international level 3) Organize teaching & of learning courses in which students can e accumulate study credits either through s online study (Massive Open Online Courses: MOOC) or conventional classroom study then transfer accumulative credits to the normal program 10

Risk Factors Cause and Source of Risk Initiatives Factors Office of the Vice Rector for Policy, Planning and Quality Assurance

Policies/Plans Responsible Agents Due Date 4) Increase participation in overseas educational exhibition 5) Integrate courses to develop multidisciplinary programs 6) Develop new programs or modify existing programs in response to market demand 7) Terminate programs which are outdated & not in demand 8) Organize short/training courses, which participants earn the certificates, in response to market demand e.g. digital marketing, language courses, computer program courses, soft skill courses. 9) Develop student retention plan and ensure effective implementation 11

Risk Factors Cause and Source of Risk Initiatives Factors Office of the Vice Rector for Policy, Planning and Quality Assurance

Policies/Plans Responsible Agents Due Date 10) Develop financial & long-term business plan and ensure effective implementation 11) Develop and promote alternative souces of income e.g. research grants, academic services, rental spaces, short-course training program, government projects, consultancy project 12

Specific Risk: 2. Inefficient and vulnerable ICT systems Risk Factors Cause and Source of Risk Initiatives Factors 2.1 Attacks by ICT  Formulate written malicious mischief 2.1.1 Software/program policies and plans e.g. hackers, - Hacbkuerg/sCracker regarding security crackers etc. in the -2.ก1า.ร2โจSมตeีกcาuรrใหit้บyริกvาuรl(ndeernabialleof of ICT system & form of servicneest/wDoOrkS) ICT usages 2- .ก1า.ร3ดกั Sจeบั cขอu้ มrูลity vulnerable a. Data interception - คาสง่ั เsจตoนfาtรw้ายare/program  Implement threat and theft -เ2ข.ียค1นว.าโ4มปผรaNaิดแndพกedmรลg/มาloiดenขrciอsstงftyซursอaltฟteuoตmsแr์ seวรr์ sหรือการ prevention plan 2- .ไ1ว.ร5ัส/ITเวิร-์มilliteracy users regarding ICT b. Denial-of-Service (Dos) attack  Monitor and evaluate the succes c. Malicious software of ICT threat (malware) e.g. prevention Trojan horses, hijacking software,  Revise threat ransomware, prevention plan computer viruses, regarding ICT worms, spyware according to the etc. evaluation results d. Data alteration on the website or in the database system 2.2 Network connection 2.2.1 Insufficient network - Develop and enhance network malfunction, both capacity infrastructure and / internal and external 2.2.2 Inefficient network Office of the Vice Rector for Policy, Planning and Quality Assurance

Policies/Plans Responsible Agents Due Date 31 July 2020 1) Formulate plans and  Top Management implement the drills regarding ICT threat Committee prevention  Office of Vice Rector 2) Formulate a Business for Information and Continuity Plan (BCP) to handle the attacks Communication by ICT malicious mischief Technology  Office of the ss 3) Raise awareness of and educate AU University Registrar students and personnel regarding ICT threat prevention according to the specified plan 1) Enhance and optimise backup bandwidth / 13

Risk Factors Cause and Source of Risk Initiatives links Factors infrastructure and / or or equipment to a equipment due to feasible level obsolescence and/or - Develop and seek low quality equipment approval of a plan 2.2.3 Malfunction and/or regarding proper breakdown of network and sufficient infrastructure and / or maintenance of equipment due to network accident or infrastructure and / infrastructure and /or or equipment equipment itself 2.3 Malfunction and/or 2.3.1 Obsolete equipment - Develop a feasible breakdown of ICT replacement and equipment regarding maintenance plan o teaching & learning ICT equipment and office operation regarding teaching e.g. PCs, projectors, & learning and etc. office operation Office of the Vice Rector for Policy, Planning and Quality Assurance

Policies/Plans Responsible Agents Due Date 2) Establish feasible backup link, both between campuses and external links 3) Procure essential network infrastructure and / or equipment for efficient & feasible / systems 4) Carry out proper and sufficient maintenance of network infrastructure and/or equipment 1) Survey and analyze demand of users of 2) Replace obsolete equipment by proper equipment which is essential to work performance 14

Specific Risk: 3. Catastrophe i.e. Fire, flood, earthquake, collaps Risk Factors Cause and Source of Initiatives Risk Factors - Assess the risk 3.1 Earthquake or severe 3.1.1 Short circuit and impact and risk building fire causing 3.1.2 arson likelihood using a collapse of the Natural disaster statistical data to building formulate a risk management plan 3.2 Severe flood and make decision requiring electricity cut-off and causing a - Procure appropriate power outage insurance policies 3.3 Riot - Inspect and maintain the equipment to be in an operational condition Office of the Vice Rector for Policy, Planning and Quality Assurance

se of building, epidemic Policies/Plans Responsible Agents Due Date 31 July 2020 1) Formulate response  Office of Vice Rector plans and implement the drills for Administrative regarding fire, flood, earthquake, Affairs collapse of building,  Office of Vice Rector epidemic for Legal and 2) Formulate a Business Continuity Privilege Affairs Plan (BCP) for an  Office of Human uninterrupted operation Resources 3) Exercise the drills Management of security guards regarding various emergency cases 4) Post hotline numbers for emergency throughout the campus, especially at the laboratory 15

Specific Risk: 4. Breach of personal data protection Risk Factors Cause and Source of Initiatives Risk Factors 4.1. Loss/leakage of - Determine adequate 4.1.1 Lack of awareness internal control personal data of regarding the measures to prevent personnel and necessity of the installation and students protection for usage of pirated sensitive and software confidential data e.g. personal data - Formulate policies, of personnel and strategies, and students mechanisms regarding software 4.1.2 Use of pirated administration to software (as it is not increase efficiency eligible for security and tighten data and patch updates, security of the including other University services regarding security from the - Formulate policies software company) regarding personal data protection and disseminate to all relevant parties for acknowledgment and implementation Office of the Vice Rector for Policy, Planning and Quality Assurance

Policies/Plans Responsible Agents Due Date 31 July 2020 1) Establish  Top Management implementation Committee guidelines for personal data  Office of Vice Rector protection in for Information and accordance with Communication international Technology standards e.g. The General Data  All Schools Protection &Supporting Units Regulation (GDPR) of EU 16