Office of Risk Management
Enterprise Risk Management
University of Wisconsin System Enterprise Risk Management Process
The chart below represents the basic structure and process used by the University of Wisconsin System to establish an enterprise risk management structure. A more detailed description of each step in the process follows.
The orientation involves the presentation and discussion of various topics to develop a foundation for understanding ERM and a review of the project components. Orientation topics include an overview of ERM and its distinction from traditional risk management, ERM in higher education, critical components of the ERM process, risk identification and validation, risk mitigation and ownership, and ERM sustainability. Participation in the orientation session involves a cross-functional representation of campus staff, preferably assembled by a senior administrative champion.
Participants in orientations at UW pilot campuses have included representatives of the following positions:
Provost/V.C. & Dean of Faculties
Director, Protective Services
President, Faculty Senate
Student Government Representatives
Risk identification involves telephone interviews with senior-level staff to help develop a preliminary, high-level risk list for the institution. Senior staff who have participated in this step include:
The number of interviews conducted at a specific campus ranges from four to six individuals.
A second means for identifying risks is to survey many of the direct reports of those interviewed. Staff who have participated in the survey process have included many of the same individuals who were involved in the ERM orientation session. Institutions have typically surveyed between 20 and 30 individuals.
Involves a workshop comprised of a cross-functional representation of institution staff to validate identified risks, as well as identify and validate any new risks. Risks are validated based on their likelihood of occurring within 36 months and on their anticipated impact, as defined by a materiality matrix. Likelihood is assessed on a four-point scale.
Likelihood (L) Scale:
- 1 = Low – Possible but unlikely to occur; remote (less than 10%)
- 2 = Moderate – Moderate risk of occurrence; maybe (between 10-50%)
- 3 = Probable – Likely to occur (between 50-75%)
- 4 = Almost Certain – Very likely to occur in immediate future (greater than 75% chance)
Materiality can be defined as a specific reference point used to categorize the magnitude of the impact of a Risk. Materiality is used to categorize risks from different parts of the organization to allow for detailed, cross-functional discussion, with the levels ranging from low to extreme. An illustration of a materiality matrix can be found here.
By combining the consensus perception regarding a risks likelihood of occurring and its impact, the risk can be mapped relative to other risks. Often referred to as a Heat Map, a map of identified risks allows an organization to begin the process of determining which risks merit efforts to mitigate and which risks can be retained at their present level of perceived likelihood and impact.
To better determine which risks may require efforts to mitigate, an assessment of existing controls is necessary.
Types of controls are:
- Rule-based – Policy, process, or standard.
- Management Control – Responsibility for control is assigned to a specific person or function within the organization.
- Compliance-based – Rule-based or Management Control, where adherence is verified.
- Physical Control – Barrier, mechanical, or computer control.
- Risk Culture – Tone at the top for managing risk.
The more controls the better a risk may be managed. However, in an environment of reduced resources, more controls are often unrealistic. Controls, much like risk likelihood and impact, can be assessed on a scale from weak to strong.
By combining the current perception of a risks likelihood and impact with existing controls, the necessary information is available to begin prioritizing an organization’s response to their current risk profile.
Following risk validation, risks are placed in one of two categories – Risk Retention or Risk Mitigation:
Retention: Risk retention simply means that a risk is accepted at this time and current controls are retained, maintained, and monitored.
Mitigation: If a risk or threat is unacceptable and cannot be placed in risk retention, additional mitigation activities are developed. The risks are prioritized and programs, processes, or physical investments are identified that will control an event’s impact and/or likelihood to a level which brings it into risk retention. Techniques may include finding a way to avoid the risk, transferring a risk through mechanisms such as insurance or outsourcing, or employing one or more of the risk controls previously mentioned.
For risks identified as requiring risk mitigation activities to bring them into risk retention, a risk owner is identified.
A risk owner is the individual who will take the lead in developing a mitigation activity plan. Typically, the risk owner will operate with direct support from the Risk Council and the business unit/senior management and will be able to call on others with specialized skills throughout the organization. In addition to this lead role in the development and execution of the mitigation activity plan, the risk owner will be responsible for communicating progress to the Risk Council and senior management.
ERM Risk Mitigation Process
The following lists the process through which an identified risk would follow once it is selected for Risk Mitigation:
- Risks are identified as requiring additional mitigation efforts.
- Campus ERM Working Group discusses risk (risks above a specific level) and decide if they agree additional mitigation is required.
- Campus ERM Working Group presents risk to campus Risk Council for confirmation. Risk is confirmed.
- Risk is confirmed for a risk mitigation initiative. Recommended risk owner is identified.
- Risk Council confirms and assigns/notifies risk owner
- Risk owner identifies team members and develops risk mitigation plan.
- Risk Council reviews risk mitigation plan and determines if it will accomplish desired objectives.
- Risk Council consolidates risk mitigation plan reports and communicates as part of budget strategic planning cycle. If not accepted, the risk mitigation plan is sent back to risk owner for further development of Risk Council for further clarification.
- Risk Mitigation plan is implemented.
A flow chart of the above steps can be found on page 21 in the ERM Handbook.