Document Reference: ISO31000

Version: 1.0

Issue Date: May 2024

 

1. Introduction

The Deanship of Digital Transformation and Knowledge Resources at Najran University is committed to implementing an integrated risk management framework in accordance with ISO 31000:2018, aligned with national cybersecurity policies, the Digital Government Authority, and Ministry of Education requirements. This policy aims to enhance the Deanship’s ability to anticipate, analyze, and effectively address risks, thereby protecting assets and ensuring business continuity in support of the university’s strategic objectives.

2. Purpose

  • Establish a systematic framework for risk management at all levels.
  • Enable decision-makers to operate within the approved Risk Appetite.
  • Ensure alignment of risks with strategic and operational goals.
  • Support business continuity and integration with ISO 22301 BCMS.

3. Scope

This policy applies to:

  • All departments and units within the Deanship.
  • Technical systems, digital services, infrastructure, data, human resources, suppliers.
  • Operational processes, digital projects, and initiatives.

4. General Principles

  • Inclusiveness: Managing all types of risks (strategic, operational, technical, financial, legal, security).
  • Integration: Linking risks with business continuity and digital governance plans.
  • Engagement: Involving all staff and stakeholders in identifying and evaluating risks.
  • Transparency: Documenting all risk management stages in the official risk register.
  • Compliance: Adhering to national regulations (Royal Decrees, Cabinet Decisions, DGA policies, MoE requirements).
  • Continuous Improvement: Regular review and updates to policies and procedures.

5. Methodology

  1. Risk Identification: Capturing potential risks related to operations and services.
  2. Risk Analysis: Evaluating (likelihood × impact) using the approved risk matrix.
  3. Risk Evaluation: Defining risk levels (Low – Medium – High – Critical).
  4. Risk Treatment: Selecting from (Avoid – Reduce – Transfer – Accept).
  5. Monitoring and Review: Periodic tracking of risk status and response actions.
  6. Documentation: Recording data in the Risk Register, including:
    • Risk name
    • Causes
    • Impacts
    • Linked objectives
    • Pre/post treatment risk level
    • Risk owner
    • Preventive / corrective actions
    • Status (Applied – Proposed – Open – Archived)

6. Roles and Responsibilities

As per the administrative decision issued by the Vice-Dean of Digital Transformation on forming the Business Continuity and Risk Committee.

7. Review and Update

  • This policy is reviewed annually or when significant changes occur.
  • Updates are based on internal/external audits and risk reports.
  • All modifications must be approved by the Director of Risk Management and documented in the version log.

8. Testing and Exercises

  • Periodic tests are conducted based on risk scenarios.
  • Results are reviewed and linked to improvement plans and CAPA.
  • Reports are submitted to the Business Continuity and Risk Committee for approval.

9. Documentation

Risk documentation is the responsibility of the system manager and department representatives, with regular review and continuous improvement to ensure system effectiveness.