What is the purpose of the Enterprise Risk Management (ERM) Policy?
The ERM Policy provides a structured, university-wide framework to identify, assess, mitigate, and monitor risks that could affect the University’s strategic objectives, including its mission, vision, and values. It aims to foster a culture of risk awareness and guide informed decision-making.
Who does the ERM Policy apply to?
The policy applies to faculty, staff, postdocs, volunteers, and students. While it outlines leadership roles in the ERM process, broader participation is supported through future guidance and training.
What is considered a “risk” under this policy?
Risk includes one-time events and ongoing trends that may negatively impact University objectives. It also encompasses missed opportunities that hinder strategic goals.
Who oversees the ERM Program?
The Enterprise Risk Management Oversight Committee (ERMOC), appointed by the President, provides governance and support. The Vice President for Enterprise Risk Management (VP of ERM) facilitates the ERM Program.
What are the main steps in the ERM Framework?
- Risk Identification: Finding risks that could impact operations or objectives.
- Risk Assessment: Analyzing risk likelihood and impact.
- Risk Mitigation: Applying strategies such as avoidance, reduction, transfer, or acceptance.
- Risk Monitoring and Reporting: Ongoing review and reporting to ensure effective mitigation.
How often are risks assessed?
A comprehensive Annual Risk Assessment is conducted with input from various university stakeholders. This process identifies top risks and validates them through executive review.
How are risks reported?
Concerns about risks may be reported via:
- The University’s Integrity Hotline
- A supervisor or department leader
- A central office with oversight for the issue.
- In emergencies, always call 911.
Is training on ERM required?
The policy does not mandate training but does commit to supporting awareness through communication and education. Training programs will be delivered outside the policy through supporting resources.
How are different perspectives incorporated into the ERM process?
The risk assessment process includes surveys, interviews, KPI data, and industry research to gather input from diverse university constituencies. While not all input sources are fixed, the VP of ERM and ERMOC ensure that insights are appropriately considered.
What is meant by “risk appetite”?
Risk appetite refers to the amount and type of risk the University is willing to accept in pursuit of its goals. It is reviewed annually by ERMOC and approved by the President.
Does the policy replace existing compliance or safety processes?
No. The ERM policy complements, but does not replace, existing regulatory, compliance, or safety protocols. It may draw on information from those systems to inform risk assessment.
Is information about the University’s top risks or risk appetite shared publicly?
ERMOC determines the transparency of such information on a case-by-case basis. Disclosure depends on the nature of each risk and the intended audience.
Are students or community members involved in the ERM process?
Students are included in the policy’s scope. While external stakeholders are not directly addressed, external factors are considered during risk identification.
What if reducing one risk increases another?
The risk assessment process prioritizes risks based on likelihood and impact. Trade-offs are considered through this prioritization, though they may not always be explicitly documented.
Will there be additional resources to help understand and apply the policy?
Yes. Supporting materials such as diagrams, training content, and procedural guidance will be developed to help campus units align with the ERM framework.