Enterprise Risk

Management Program

IntroductiontoEnterpriseRisk
ManagementatUVM

DRAFT 1
 Enterprise Risk
Management Program

WhatisEnterpriseRiskManagement?
Enterpriseriskmanagementisastructured,consistent,andcontinuousprocess
acrossthewholeorganizationforidentifying,assessing,decidingonresponses
to,andreportingonopportunitiesandthreatsthataffecttheachievementofits
objectives.
InstituteofInternalAuditors

Atooltoenhancemanagementdecisionmaking,corporategovernance,
andaccountability
Facilitateseffectivemanagementoftheuncertaintyandassociatedrisks
andopportunitiesfacinganorganization
Helpsanorganizationgettowhereitwantstogo,andavoidpitfallsand
surprisesalongtheway(COSO)
Asystematicapproachtoahistoricallyintuitiveexercise(Klein,Mandl,
andSencer)
DRAFT
 Enterprise Risk
Management Program

EnterpriseRiskManagement:
ABroadApproachtoRisk

1. Allorganizationsexisttoachievetheir
objectives
2. Manyinternalandexternalfactorsaffectthose
objectives,causinguncertaintyaboutwhether
theorganizationwillachievethem
3. Theeffectthisuncertaintyhasonan
organizationsobjectivesisrisk

DRAFT
 Enterprise Risk
Management Program

HowERMDiffersfromTraditionalRiskManagement
ERMtakesanenterprisewide approach
considersthepotentialimpactofall types
ofrisksonallprocesses,activities,
stakeholders,productsandservices Financial Human
Risk Capital
ERMlooksatboth upsiderisk Risk

(opportunities)anddownsiderisk
(potentiallossesordamage) Enterprise Risk
Management Strategic
Hazard
Risk
ERMassessesriskandopportunityinthe Risk

contextofstrategicobjectives The purview of traditional

Risk Management
ERMenhancesexistingstrategicplanning
andbudgetingprocessesitsnotastand Operational Compliance
aloneprocess Risk Risk

ERMengagesriskownersorsubject
matterexpertstoaddressandmanage
risks,withconsultingandsupport
DRAFT 4
 Enterprise Risk
Management Program

BenefitsofERM
Supportstheachievementofstrategicobjectives

Enhancesinstitutionaldecisionmaking

Createsariskawarecultureacrosstheorganization

Reducesoperationalsurprisesandlosses

Preparestheorganizationtoactonacceptableopportunities

Assuresgreaterbusinesscontinuity

Improvesdeploymentofcapitalbyaligningriskandresourceswith
strategicobjectives
Bridgesdepartmentalsilos;developsacenterofexcellenceformanaging
risk;anddrawsontheexpertiseofhighlyskilledindividualmanagers

DRAFT
 Enterprise Risk
Management Program

RelationshipAmongStrategy,Risk,andBudget

1 Where do we want to go?

2 How do we get there?
UNIVERSITYOFVERMONT
StrategicPlan20092013: Project2
SustainingtheAdvance

STRATEGIC OBJECTIVES STRATEGIC INITIATIVES

Project1 Project3

4 How should we best 3 What uncertainties could

allocate our resources? help or hinder us?
xxxxx xxx xxxxxxxx xxx

xxx xxx xxxxxxxx xxx

xxx BUDGET
xxx xxxxxxxx xxx

xxxxx xxx xxxxxxxx xxx RISKS &OPPORTUNITIES

xxxxx xxx xxxxxxxx xxx

DRAFT
 Enterprise Risk
Management Program

WhyisUVM ImplementingERM?
Deloitte&Touche externalauditidentifiedweaknessesinourinternal
controlenvironment
FollowupexternalauditbyPwCendorsedtheproposedERMinitiative
andnoteditasleadingpractice
Emergingbestpracticeinhighereducationandprivatesector
BondratingagenciesnowlookforERMwhenratingnonfinancial
organizations
UVMBoardofTrusteessupportstakinganenterpriselevelviewofrisk
Managingrisksupportsstrategicgoals,lessensuncertainty,andhelps
maintaincompetitiveadvantage
Example:economicdownturnandresultingfinancialchallenges

DRAFT
 Enterprise Risk
Management Program

ERMBestPractices
BestpracticesforERMarestillemerging,asERMisrelativelynew,especiallyinhighereducation
Obtaincommitment,fullengagement,andsupportofseniormanagementandgoverning
board setthetoneatthetop
TailortheERMprogramtobestmeettheinstitutionsuniqueneedsandenvironment,using
abestpracticemodelasaframework
Articulatetheinstitutionsapproachtorisk
Establishacommoninstitutionallanguagefortalkingaboutrisk
Usecrossfunctionalgroupstocreatebuyin,awareness,andengagement,andtoprovide
thebroadperspectivenecessaryforeffectiveriskidentificationandassessment
IntegrateERMintoexistingprocesses dontmakeitaseparatelayeroranaddon
Buildariskawareculturetoincreaseawarenessandconsiderationofriskindecision
makingthroughouttheorganization
Integrateandretaintheknowledgeofspecialistsiloswhiletakinganenterpriseview

Enhanceinternalcontrolsaroundtheareasofhighestrisk
DRAFT
 Enterprise Risk
Management Program

WhatShouldanERMProgramConsistof?
Principles Framework RiskManagementProcess
Focusesonindividualor
groupsofrisks,their
identification,analysis,
evaluation,andresponse
Providethe
foundationand Managesthe Context
describethe overallprocess
qualitiesof anditsfull Riskidentification
effectiverisk integrationinto
managementin theorganization Risk Risk
anorganization response analysis

Riskevaluation

Monitoring,review,continualimprovement,andcommunication
occurthroughout
DRAFT
 Enterprise Risk
Management Program

UVMsERMFramework
ERMContext ERMProcess

InstitutionalStrategy ERMCulture
Universitymissionandvision ERMprogramgoalsand
objectives Riskassessment
Universitystrategicplan
Externalandinternalcontext ERMguidingprinciples
Riskidentification
UVMriskphilosophy
InstitutionalGovernance UVMrisktolerance
Commitment,engagement, Riskawareness Riskanalysis
andsponsorship Riskownership
Rolesandresponsibilities Commonlanguage
Programoversightand ERMpolicyandprocedures Riskevaluation
management
Riskdecisions
Riskresponse

Communication,
Change Education Monitoring Continuous
coordination&
management &training &reporting improvement
consultation

ENABLINGACTIVITIES
DRAFT 10
 Enterprise Risk
Management Program

ERMProgramPurpose&Goals
ThepurposeofUVMsERMprogramistoenhancetheUniversitysabilitytoachieveitsmission,vision,and
strategicobjectivesandstrengthenitscompetitivepositionbyfosteringaninstitutionwidecultureofriskand
opportunityawarenessandbyprovidingastructured,consistent,andcontinuousprocessfortheearlyand
proactiveidentificationandreportingofmaterialrisksandopportunitiestoseniormanagementandtrustees.

Insupportofthisoverallpurpose,UVMhasestablishedthefollowinggoalsandobjectivesforERM:

1. Createacultureofriskawarenesswhereallemployeesunderstandandconsiderriskindecisionmaking.
[Supportingobjectivesintentionallyomitted]

2. Reduceoperationalsurprisesandlosses.

3. Increasecapacitytoidentifyandseizeopportunitiesbyfacilitatinggreatertransparencyandopenness
regardingrisk.

4. Enhanceinstitutionaldecisionmakingbyprovidingseniormanagementandtrusteeswithtimelyand
robustinformationthatimprovestheirunderstandingofenterpriselevelrisksandopportunities.
[Supportingobjectivesintentionallyomitted]

5. Improvetheefficiencyandeffectivenessofinstitutionalriskmanagementefforts.
[Supportingobjectivesintentionallyomitted]

DRAFT 11
 Enterprise Risk
Management Program

TheRiskManagementProcess
RiskAssessment

1 Context 2 Identification 3 Analysis 4 Evaluation 5 Response

Understand Find,recognize, Comprehend Comparethe Modifytherisk

organizational anddescribe thenatureof resultsofrisk bymitigating,
objectivesandthe risks riskand analysiswithrisk avoiding,
externaland determinethe criteriato transferring,or
internal Writearisk levelofarisk determine acceptingthe
environment statementthat whethertherisk risk.
includes Determinethe isacceptable.
sources,events, riskspotential
causesand impactand Prioritizerisks.
consequences likelihood

6 Monitoring&Reporting

Continuallycheckthestatusofarisktoidentifychangefromtheperformancelevelrequiredorexpected.

7 Communication&Consultation

Informandengageindialoguewithstakeholdersregardingthecurrentstateofrisksandtheirmanagement.

DRAFT 12
 Enterprise Risk
Management Program

TheRiskManagementProcessatUVM
RiskAssessment

1 Context 2 Identification 3 Analysis 4 Evaluation 5 Response

President,other RiskAssurance Responsible ERMAdvisory Responsible

seniorUVMofficials Group (RiskMgmt Officials and Committee Officials develop
establishUVM &Safety, designated Presidents plan
StrategicPlan Compliance& participants, Advisory PACERMreviews
Deans,Vice Privacy,Internal facilitatedby CommitteeonERM plans
Presidents,and Audit,VPFA, ERMACCoChairs PresidentsSr. Presidentapproves
otherseniorofficials GeneralCounsel) Leadershipand plans
establishCollege, SeniorUVM DeansCouncil Responsible
School,and officials President Officials
Divisionalplans implementplans
Preliminaryrisk
Riskregister
inventory Riskresponse
Riskportfolio plans&budgets

6 Monitoring&Reporting

ResponsibleOfficials andRiskAssuranceGroupmonitorstatusofriskandriskresponse

7 Communication&Consultation

QuarterlyERMstatusreportsandregularComplianceandInternalAuditreportstoBoT AuditCommittee
ERMannualreportincludingriskportfolio,heatmap,andstatusofpriorityriskstoAuditCommittee andCommitteeoftheWhole

DRAFT 13