Enterprise Risk Management
Frequently Asked Questions about ERM
What is ERM?
Enterprise risk management ("ERM") is a process designed to anticipate and analyze potential opportunities and threats that could affect the achievement of the University's objectives.This process is integral to the management and future direction of the University, and should be structured, consistent, and continuous across the entire organization. ERM includes identifying, assessing, deciding on responses to, and reporting on strategic, human capital, compliance, operational, financial, and hazard-related exposures. These exposures include both "risks" that might hinder UVM's attainment of its strategic goals, and "opportunities" that could help the University achieve its strategic goals.
How do I report a risk?
If it is an emergency, dial 911. If it is not an emergency, report the issue either to your supervisor or the relevant office at UVM.
Why is UVM implementing ERM?
UVM began implementing an ERM program in 2008 following the recommendations of an external audit report by Deloitte & Touche. The report determined that UVM had inadequate internal controls to manage and mitigate its institutional risk. A follow-up audit by PricewaterhouseCoopers concurred with Deloitte & Touche's recommendation, noting that ERM was a “best practice." (Read more about the history of ERM's program.) Both UVM's senior administration and its Board of Trustees' Audit Committee saw the value of taking an institution-wide view of risk to help UVM achieve strategic goals, lessen uncertainty, and maintain a competitive advantage.
Ways that ERM can benefit an organization
- Support the achievement of strategic objectives
- Enhance institutional decision-making
- Create a “risk-aware” culture across the organization
- Reduce operational surprises and losses
- Be ready to act on acceptable opportunities
- Assure greater business continuity
- Improve deployment of capital by aligning risk and resources with strategic objectives
- Bridge departmental silos while drawing on the expertise of highly skilled individual managers
Does ERM replace the University's existing management activities?
No. ERM aims to enhance, not replace, UVM's normal management processes by providing a comprehensive view and consistent analysis of institutional risks and opportunities to inform management decisions.
What do you mean by opportunity or “upside risk”?
While we tend to think of "risks" as negative events, the ERM process is also designed to help an organization think about the "happy surprises" or opportunities that could also present themselves and which would help, as opposed to hinder, the achievement of strategic goals. One example of such an opportunity at UVM was the closure of Trinity College and the opportunity for UVM to acquire the Trinity campus. The ERM process encourages thinking about such possibilities and "what if" scenarios in advance, so that if the opportunity does in fact present itself, the organization has already thought through the issue and is poised to move quickly.
It is also true that many activities, initiatives, and uncertainties can have both positive ("upside") and negative ("downside") impacts. This is similar to weighing the "pros and cons" of an issue. The risk assessment process seeks to consider both sides of how a risk could affect the institution's ability to achieve its strategic goals.
How does enterprise risk management differ from traditional risk management?
Historically, the traditional risk management function has tended to focus on safety, hazard-related, and legal liability issues such as fire prevention, insurance, and workplace safety. ERM both expands and elevates the risk management focus to consider the potential impact of all types of risks (strategic, human capital, compliance, financial, and operational issues, in addition to safety, hazard-related, and legal liability exposures) across the entire organization and examines risks in the context of strategic objectives. ERM is also unique in looking at the upside potential of uncertainties as well as the downside (i.e., potential losses or damages). Finally, ERM is not a stand-alone process. It is meant to enhance and be integrated with management processes such as strategic planning and budgeting.
What is the relationship between ERM and the other offices at UVM that deal with risk, such as Compliance Services or Risk Management & Safety?
Again, because ERM does not replace UVM's normal management processes, UVM offices and departments with expertise in a specific area will continue to play their important roles in helping the institution to manage different types of risk. ERM plays a coordinating role in collecting risk information from across the University and ensuring that it is analyzed and presented to senior decision-makers in a consistent way. To support this coordination and collaboration, the Vice President for Finance & Administration, General Counsel, Chief Compliance & Privacy Officer, Director of Risk Management & Safety, Senior Strategist for Enterprise Risk & Planning, and Chief Internal Auditor meet quarterly as the Risk Assurance Group.
Last modified July 13 2012 11:34 AM