Administrative officials have oversight responsibility for developing and maintaining a system of controls that identifies and manages risks so that department or project objectives can be achieved.

The Ethics, Risk & Compliance Services Office provides campus leadership in risk assessment, and designing and implementing systems to ensure an effective control environment and acceptable risk mitigation. Information on tools for risk assessment and mitigation, and a listing of selected risks and their related controls can be found on the Risk Services web site.

Risk is the threat that an event or action will adversely affect an organization's ability to achieve its objectives and/or execute its strategies successfully. Risk is the mirror image of opportunity; greater opportunity results in greater risk. There are several types of risk.

  • Strategic risks – doing the wrong things;
  • Operating risks – doing the right things the wrong way;
  • Financial risks – losing financial resources or incurring unacceptable liabilities;
  • Information risks – inaccurate or non-relevant information, unreliable systems, and inaccurate or misleading reports; and
  • Physical risks – fire, earthquake, injury to people and/or things (managed by the Office of Risk Services).

Internal control is any process or action designed to reduce risk and give reasonable assurance that:

  • Operations are effective and efficient;
  • Financial and operational reports are reliable; and
  • Compliance with applicable laws, regulations, and policies and procedures has been achieved.

Inadequate segregation of duties, missing documentation, inappropriate access to assets, inadequate knowledge of UC Berkeley policies and procedures, and/or management override of procedures can jeopardize internal control. Too many controls or controls mitigating the wrong risks (or no risks) lead to inefficiencies.