1. Home
  2. Enterprise Risk Management
  3. Enterprise Risk Management Policy

Enterprise Risk Management Policy

Approved by: Office of the President

Date approved by President: September 1, 2025

Effective date: September 1, 2025

Responsible official: Vice President for Enterprise Risk Management

Responsible University office: Enterprise Risk Management

Revision history: None

Related legislation and University policies: None

Review period: 5 years

Date of last review: N/A

Relates to: Faculty, Staff, Volunteers, Postdocs, and Students

I. Summary of this Policy

This Enterprise Risk Management (ERM) policy outlines ºÚÁϳԹÏÍø's commitment to integrating risk management into its culture and strategic planning through a structured and consistent approach to identifying, assessing, mitigating, and reporting risks. The policy applies to all departments, faculty, staff, postdocs, and activities within the University community or governing structure and aims to protect and create value for the University's stakeholders.

II. Purpose(s) of this Policy

The purpose of this ERM Policy is to ensure that risks which could impact the University’s strategic objectives, including its mission, vision, and values, are effectively managed and mitigated.

It provides a comprehensive framework to proactively identify, assess, manage, and report risks.

III. Definitions

Risk: Risk can include one-time occurrences as well as broader trends and forecasts that could have a negative impact on the University’s objectives. Additionally, risk encompasses missed opportunities that could hinder the University from achieving its strategic goals.

Risk Management: The process of identifying, assessing, managing, and mitigating risks. This collaborative approach ensures a comprehensive understanding of risks and fosters a culture of risk awareness and shared responsibility.

Risk Appetite: The level of risk the University is willing to accept in pursuit of its objectives.

Risk Assessment: The process of evaluating the potential impact and likelihood of identified risks.

IV. Aims

The aims of the ERM Policy are to
  • Establish a framework and process for the consistent application of risk management practices.
  • Integrate risk management into the University’s culture and strategic planning.
  • Promote proactive identification and management of potential risks.
  • Inform decision–making through a comprehensive understanding of how risks are evaluated and controlled.
  • Protect and create value for the University’s stakeholders

 V. Roles and Responsibilities

President and Board of Trustees: Provide overall governance and oversight of the ERM framework.

Enterprise Risk Management Oversight Committee (ERMOC): Charged by the University President to provide guidance and support for the efforts of the ERM program, including maintaining an effective risk management framework. ERMOC members are appointed by the President and include:

  • Deputy General Counsel & Chief Risk Management Officer
  • Executive Vice President and CFO
  • Provost and Executive Vice President
  • Senior Vice President, General Counsel, Secretary of the Corporation, and Chief Risk Management Officer
  • Senior Vice President for Research and Technology Management
  • Senior Vice President, Chief of Staff and Strategic Advisor to the President
  • Vice President, Enterprise Risk Management
  • Vice President, Human Resources

The President may elect to add or remove members at any time.

Vice President for Enterprise Risk Management (VP of ERM): Facilitate the ERM program and ensure consistent and effective application of the ERM Framework. Provide updates to the ERMOC and other risk stakeholders as appropriate.

Risk Owners: Designated by the ERMOC to identify, assess, manage, and report risks within their respective areas of responsibility. Provide risk updates and reports as requested by the VP of ERM and or ERMOC.

VI. Risk Management Framework

The University’s risk management framework is a structured approach used by the University to identify, assess, mitigate, and monitor risks to safeguard its objectives and ensure its organizational resilience. The University’s risk management framework consists of the following four steps:

  • Risk Identification: Systematically identifying risks across all operations, programs, and strategic initiatives that could impact the University’s ability to carry out its objectives, while considering both internal and external factors
  • Risk Assessment: Evaluating the potential impact and likelihood of identified risks through qualitative and quantitative methods, prioritizing them based on severity and urgency.
  • Risk Mitigation: Developing and implementing tailored strategies to manage and mitigate risks, which may include avoidance, reduction, transfer, or acceptance, and integrating these strategies into operational plans.
  • Risk Monitoring and Reporting: Continuously monitoring identified risks and emerging threats, assessing the effectiveness of mitigation strategies, and providing regular reports to stakeholders for informed decision-making

VII. Risk Appetite

The University’s risk appetite defines the level of risk it is willing to accept in pursuit of its objectives. This appetite is to be reviewed annually by the ERMOC and approved by the President. Risk tolerance levels for specific risks will be determined and communicated to the appropriate risk owners.

VIII. Annual Risk Assessment

An annual risk assessment shall be conducted by the ERM Program with the support of Internal Audit and the University Compliance Program to identify the top risks facing the University and prioritize them based on their likelihood and potential impact. This comprehensive evaluation includes the use of interviews with a selection of department leadership, managers, faculty and staff, surveys sent to a selection of department managers and key risk stakeholders, key performance indicator data determined to provide insight into changes in risk outlooks and industry research to create a dynamic dashboard highlighting the top perceived campus risks. This list of perceived risks is then validated with a subset of key leaders and with the President’s Cabinet to create a validated list of the top risks.

The annual risk assessment is not intended to replace existing university regulatory processes. The annual risk assessment process may, at the discretion of the VP of ERM, utilize appropriate University administrative channels to acquire information needed to implement the risk assessment process effectively and efficiently.

IX. Communication and Training

A comprehensive communication plan will be maintained to ensure that risk management information is effectively shared throughout the University. This plan will use the structure of the Enterprise Risk Management Policy to guide the dissemination of key information. This includes regular updates to stakeholders, training programs for employees, and ERM education for ERMOC members.

X. Reporting Concerns of Risks

Risks may be reported by using the Integrity Hotline, reporting directly to a supervisor, or reporting directly to an appropriate central office with oversight of the area of concern. Please note, in the case of an imminent threat of harm to any person, please call 911 immediately. A list of reporting resources and a FAQ for this policy are available on the University’s Audit Services web page, under the ERM (Enterprise Risk Management) tab.