Office of Risk Management

Enterprise Risk Management

ERM Process

University of Wisconsin System Enterprise Risk Management Process


The chart below represents the basic structure and process used by the University of Wisconsin System to establish an enterprise risk management structure.  A more detailed description of each step in the process follows.

Up Arrow Callout: Institution ERM Orientation to establish goals and objectives as well as define common terms.

Text Box: One on One Interviews with Senior Staff Identify perceptions of RiskplusText Box: Any pre-existing Risk reports are reviewed and Identified Risks are compiled.

Up Arrow Callout: Risk Surveys are sent to direct reports of Senior management

Rounded Rectangle: Surveys collect risks identified from a cross functional group of operational level management

Up Arrow Callout: Campus Workshop

Up Arrow Callout: Campus Risk workshop synthesizes all Risks identified to date and discusses and assesses new risks. Output report is ready for management review.

Up Arrow Callout: Core Working Group reviews and delivers report of priority risks to Chancellor

Rounded Rectangle: Chancellor/Risk Council informs Campus Core or Working Group of decisions on recommended risks

 

 

ERM Orientation

Up Arrow Callout: Institution ERM Orientation to establish goals and objectives as well as define common terms.

The orientation involves the presentation and discussion of various topics to develop a foundation for understanding ERM and a review of the project components.  Orientation topics include an overview of ERM and its distinction from traditional risk management, ERM in higher education, critical components of the ERM process, risk identification and validation, risk mitigation and ownership, and ERM sustainability.  Participation in the orientation session involves a cross-functional representation of campus staff, preferably assembled by a senior administrative champion.

Participants in orientations at UW pilot campuses have included representatives of the following positions:

 

Chancellor
V. C. Campus Life/Dean of Students
V.C. Administrative Services
Vice Chancellor, Student Affairs
Associate Vice Chancellor, Faculty & Academic Affairs
Associate VC Academic Affairs & Outreach
Asst. Chancellor for University Advancement
Asst. VC Enrollment Management
Asst. VC Chief Information Officer
Asst. to the Chancellor for Affirmative Action and Equal Opportunity

Provost/V.C. & Dean of Faculties
Dean of Students
Dean(s), Assistant, and Associate Dean(s)
Director, Admissions
Director, Alumni Relations
Director, Athletics
Director, Counseling Center
Director, Environmental Health & Safety
Director, Facilities, Planning and Management
Director, Financial Aid
Director, Financial Services
Director, Human Resources
Director, International Education
Director, Library

Director, Protective Services
Director, Resident Life
Director, Safety and Risk Management
Director, Student Health Center
Director, Student Rec. & Wellness Center
Director, Center for Students w/Disabilities
Executive Director, Integrated Marketing & Communications
Executive Director, University Center
Interim Director, Center for Academic Support & Diversity
Interim Director of Academic Support Services
Interim Director of Academic Assessment

President, Faculty Senate
Department Chair
Faculty

Internal Auditor
Controller
Bursar
Registrar
Student Leadership Coordinator
Outreach Program Manager
Budget and Policy Analyst

Student Government Representatives

Risk Identification

Text Box: One on One Interviews with Senior Staff Identify perceptions of RiskplusText Box: Any pre-existing Risk reports are reviewed and Identified Risks are compiled.

Up Arrow Callout: Risk Surveys are sent to direct reports of Senior management

Rounded Rectangle: Surveys collect risks identified from a cross functional group of operational level management

Risk identification involves telephone interviews with senior-level staff to help develop a preliminary, high-level risk list for the institution.  Senior staff who have participated in this step include:

Chancellor
Vice Chancellor for Administration and Finance
VC, Administrative Services
Vice Chancellor of Administrative Affairs
Vice Chancellor of Student Affairs
Vice Chancellor for Campus Life & Dean of Students
Associate Vice Chancellor for Academic Affairs

Provost
Interim Provost
Director – Budget
Athletic Director
Internal Auditor
Director of Risk Management
Payroll and Benefits Specialist
Student Association President

The number of interviews conducted at a specific campus ranges from four to six individuals.

A second means for identifying risks is to survey many of the direct reports of those interviewed.  Staff who have participated in the survey process have included many of the same individuals who were involved in the ERM orientation session.  Institutions have typically surveyed between 20 and 30 individuals.

 

Risk Validation

Up Arrow Callout: Campus Workshop

Up Arrow Callout: Campus Risk workshop synthesizes all Risks identified to date and discusses and assesses new risks. Output report is ready for management review.

Up Arrow Callout: Core Working Group reviews and delivers report of priority risks to Chancellor

Rounded Rectangle: Chancellor/Risk Council informs Campus Core or Working Group of decisions on recommended risks

 

Involves a workshop comprised of a cross-functional representation of institution staff to validate identified risks, as well as identify and validate any new risks.  Risks are validated based on their likelihood of occurring within 36 months and on their anticipated impact, as defined by a materiality matrix.  Likelihood is assessed on a four-point scale. 

Likelihood (L) Scale:

  • 1 = Low – Possible but unlikely to occur; remote (less than 10%)
  • 2 = Moderate – Moderate risk of occurrence; maybe (between 10-50%)
  • 3 = Probable – Likely to occur (between 50-75%)
  • 4 = Almost Certain – Very likely to occur in immediate future (greater than 75% chance)

Materiality can be defined as a specific reference point used to categorize the magnitude of the impact of a Risk.  Materiality is used to categorize risks from different parts of the organization to allow for detailed, cross-functional discussion, with the levels ranging from low to extreme.  An illustration of a materiality matrix can be found here

By combining the consensus perception regarding a risks likelihood of occurring and its impact, the risk can be mapped relative to other risks.  Often referred to as a Heat Map, a map of identified risks allows an organization to begin the process of determining which risks merit efforts to mitigate and which risks can be retained at their present level of perceived likelihood and impact.

Sample Inherent Risk Map (Heat Map)

To better determine which risks may require efforts to mitigate, an assessment of existing controls is necessary. 

Types of controls are:

  • Rule-based – Policy, process, or standard.
  • Management Control – Responsibility for control is assigned to a specific person or function within the organization.
  • Compliance-based – Rule-based or Management Control, where adherence is verified.
  • Physical Control – Barrier, mechanical, or computer control.
  • Risk Culture – Tone at the top for managing risk.

The more controls the better a risk may be managed.  However, in an environment of reduced resources, more controls are often unrealistic.  Controls, much like risk likelihood and impact, can be assessed on a scale from weak to strong.

By combining the current perception of a risks likelihood and impact with existing controls, the necessary information is available to begin prioritizing an organization’s response to their current risk profile.

Risk Response

Following risk validation, risks are placed in one of two categories – Risk Retention or Risk Mitigation:

Retention:  Risk retention simply means that a risk is accepted at this time and current controls are retained, maintained, and monitored.

Mitigation:  If a risk or threat is unacceptable and cannot be placed in risk retention, additional mitigation activities are developed. The risks are prioritized and programs, processes, or physical  investments are identified that will control an event’s impact and/or likelihood to a level which brings it into risk retention.  Techniques may include finding a way to avoid the risk, transferring a risk through mechanisms such as insurance or outsourcing, or employing one or more of the risk controls previously mentioned.

Risk Ownership:
For risks identified as requiring risk mitigation activities to bring them into risk retention, a risk owner is identified.
A risk owner is the individual who will take the lead in developing a mitigation activity plan. Typically, the risk owner will operate with direct support from the Risk Council and the business unit/senior management and will be able to call on others with specialized skills throughout the organization.  In addition to this lead role in the development and execution of the mitigation activity plan, the risk owner will be responsible for communicating progress to the Risk Council and senior management.

ERM Risk Mitigation Process

The following lists the process through which an identified risk would follow once it is selected for Risk Mitigation:

  1. Risks are identified as requiring additional mitigation efforts.
  2. Campus ERM Working Group discusses risk (risks above a specific level) and decide if they agree additional mitigation is required.
  3. Campus ERM Working Group presents risk to campus Risk Council for confirmation. Risk is confirmed.
  4. Risk is confirmed for a risk mitigation initiative. Recommended risk owner is identified.
  5. Risk Council confirms and assigns/notifies risk owner
  6. Risk owner identifies team members and develops risk mitigation plan.
  7. Risk Council reviews risk mitigation plan and determines if it will accomplish desired objectives.
  8. Risk Council consolidates risk mitigation plan reports and communicates as part of budget strategic planning cycle. If not accepted, the risk mitigation plan is sent back to risk owner for further development of Risk Council for further clarification.
  9. Risk Mitigation plan is implemented.

A flow chart of the above steps can be found on page 21 in the ERM Handbook.